This content is part of the Essential Guide: An IT security strategy guide for CIOs

Essential Guide

Browse Sections
Manage Learn to apply best practices and optimize your operations.

A CIO's advice for cloud security in the cloud age

Brian Lillie, CIO at data center builder Equinix, a company where security is “embedded in everything we do,” said that doling out general advice for bolstering IT security in the cloud computing era is difficult because all organizations are different. But there are guidelines they can follow to take advantage of the lower costs, faster setup and better user experience cloud systems offer — and maintain solid cyberdefense. Here are his three tips for better cloud security:

  1. Have a cloud-first strategy. To Lillie, cloud today means cloud-first. “If you can solve a business problem in the cloud, do it,” he said. “Because that is where all of the investment is going. It’s where most of the [vendor] innovation is happening and more and more and more, their solutions are going to be in the cloud.”

    Brian Lillie

  2. Accept the reality of hybrid IT. Most companies won’t be 100% in the cloud, Lillie said. Some applications, for example, will have to purpose-built, and those will most likely have to stay on premises — so will highly sensitive applications and ones that are “too core to IT.” So hybrid IT — or an integrated mix of on-premises and cloud systems — should be the aim.
  3. Wrap it all in security. Organizations can’t stop at defending their data centers. As they look more to cloud applications, they need security policies, processes and tools to safeguard those as well. “You’ve got to make sure your data is safe in transit,” Lillie said. “You’ve got to make sure that your integration strategy between your on-premises and your cloud is not only secure but high-performing.” And no one technology does everything, he said. His team has around 25 security tools to keep Equinix’s cloud applications safe, including gatekeeper software called a cloud access security broker, federated identity management for ensuring users are who they say they are, and a Web application security scanner to detect weaknesses in applications. “I actually think that a set of tools layered is the best defense,” Lillie said.