Thursday, December 4, 2008

What if the cloud is MORE secure?

My job usually involves the normal, boring day to day security stuff and so I don't want to bore my readers (both of them) and give away company secrets. So, I like to stay ahead of the game and blog about what the future holds.

I honestly still think that the past is where we are heading (see my earliest posts). Actually, I think that the future will be summed up thus: "New exciting technologies; good, old-fashioned security".

Some of my most valuable sources are Gartner, Securosis and Rational Survivability. They don't all agree but I use the best of each to make up my own mind.

One technology that all of them have touched on is "Cloud Computing".

This is a lovely concept which has no formal definition. Essentially, it seems to be this: you take all your systems and send them out somewhere to some company who will then host the systems for you. By "systems", I mean applications or technical functions.

The level of control that you have is very variable too but I think that one of the benefits of cloud computing is that you give up having to worry about the nuts and bolts and focus on the benefits. This is wonderful but it can also be a curse - you lose control of your processes and the protection of your data.

For a company that makes widgets not to have to take care of a data center, is excellent. And, you get to leverage off best practices in that you use experts in their own fields to manage your IT. So, you use a dedicated mail place (like GMail or Hotmail), a dedicated storage place, a dedicated CRM place, etc.

Those places can use economies of scale so that it gets cheaper the more people who use their services.

Everyone wins. And especially nowadays that CIOs (at the request of CFOs) are looking to bring their costs down.

The main issue is one of Security. Although, connectivity could be an issue as well. (Your link goes down and you are at the southern most tip of Africa and your presentation is on the other end of a broken link, in North America.. the CEO is waiting..)

But back to Security.

Obviously a company that holds private information for a number of companies would be a target for online criminals so you'd be giving your information to a company that is a target. More than that - you still hold the risk if the information is leaked but you lose the control of knowing where the information is at any one time or what is happening with it. You really only have the company's assurance that they will take good care of your information for you.


It seems that a great a number of Cloud-providers are very vague about what security measures they have in place. There is one that stands out for me though - BoardVantage. I don't use their service (or have anything to do with them really) and have no idea how secure they are but they certainly claim to be very secure - they detail what their controls are and they have had a SAS70 type 2 audit done.

Assuming that they do everything that they say that they do - they are streets ahead of most corporate networks. Going by Verizon's Breach report thing - most companies are breached by methods that are very simple and vulnerabilities that have patches that are very old. So, it may be more secure to use this company than to keep the information on your own network.

PS. I know that there is no one Cloud but as things stand at the moment most "clouds" are really walled gardens (confused yet) and so each provider takes care of their own part of "the cloud".

The answer is that you would have to really consider using a "cloud provider" instead of dismissing them off-hand. And if all major "cloud providers" became more secure then security would not be something holding this idea back but could be a good reason to investigate using the cloud.

No comments: