Security Is Not an Insurmountable Obstacle to Cloud Computing

 Another article, Security Is Chief Obstacle To Cloud Computing Adoption, on cloud computing and security.  Last month Gartner had an excellent post.  A Google search on “cloud computing” & “security” yields over 53 millions results.  So, the concerns abound regarding security and I have posted before on how security is one of two critical issues, particularly with CIOs, with cloud computing.  (The other being the “End User Experience.”)

The security concerns are valid and range from loss of control, compliance & legal, data protection, disaster recovery and confidentiality.

But companies, including Amazon, Google,  Microsoft, have implemented secure cloud infrastructures. Recently, the City of Los Angeles announced that it has just put it’s trust in Google apps for it’s 30,000 city employees., which we use internally at World Wide, is trusted by over 65,000 companies and million users.  In addition to the SaaS firms, there are the hosting and infrastructure as a service companies like Savvis.

My thought is that these companies employ as competent and as strong of  information security and risk management staff as any internal Fortune 500 IT organization.

I’m not suggesting it’s a trivial matter, but overcoming the “security obstacle” is possible.  Besides, it’s not an all or nothing matter.    Two deployment dimensions exists.  First, the cloud paradigm is a continuum between private and public infrastructure.   CIO’s concerned with security can take advantage of cloud technology and start within their own, private four walls.  The second dimension is the type of data.  CIO’s can decide which apps and information they’re most comfortable with moving to the public cloud.

When moving your apps and data to a public cloud, additional options exist for how that information is managed.   Chris Black, leading our federal data center strategy, also reminds me of the cost element associated with the public cloud deployment dimension.  Chris said in an email to me, “Cost is proportional to security.  You can ask that your data [in the public cloud] be isolated and pay for the independent infrastructure and utilize/leverage the operational services. ”

Some transactions and information have a lower risk profile and, in fact, CIO’s have been letting millions of bits of private company information exit their four walls to the public cloud for years.  That app? Corporate email.  Payroll is another application with highly sensitive information that has been processed outside of IT’s four walls for years.

There are many sources of information regarding approaching security in the cloud.  The ENISA Cloud Computing Security Risk Assessment is an excellent starter and provides an approach to:

  1. assess the risk of adopting cloud services;
  2. compare different cloud provider offerings;
  3. obtain assurance from selected cloud providers;
  4. reduce the assurance burden on cloud providers.

We should not forget that there are actual security benefits associated with cloud computing.  From the same Report:

  1. Security and the Benefits of Scale
  2. Security as a Market Differentiator
  3. Standardised Interfaces for Managed Security Services
  4. Rapid, Smart Scaling of Resources
  5. Audit and Evidence-gathering
  6. More Timely, Effective and Efficient Updates and Defaults
  7. Benefits of Resource Concentration

Overcoming the security obstacle is well worth the effort to gain all of the much publicized benefits of cloud computing’s “ilities” (scalability, agility, flexibility) and its service/utility cost model.

5 responses to “Security Is Not an Insurmountable Obstacle to Cloud Computing

  1. Excellent article Bob, I couldn’t agree more with your analysis of the security considerations relating to cloud computing. I’ve been seeing an increased focus on security in SaaS infrastructures drive a commensurate increase in the level of security in private infrastructures as well. Most companies realize they’re only truly as secure as their weakest link and are therefore taking steps to improve their overall security posture.

  2. Bob,

    I will grant you that economies of scale enable critical mass to optimize the state of the art. The problem is the state of the art isn’t much good.
    Laying on more layers of what is already failing does not do much more than add complexity.

    I see to many too many companies touting that their ID management or authentication solution, edge security, is the answer to cloud security, but what controls are being applied to the business processes to protect against abuse by administrators or authorized users? Authentication as a proxy for authorization will lead to a lot of hard lessons.

  3. Hi Bob,

    Thanks for the post. I am going through the move to the cloud right now. I am also thinking about writing a paper about doing a security analysis when considering cloud solutions. Would you mind talking to me some time about your experiences with cloud solutions?

  4. Pingback: The Great Cloud Security Challenge: I Triple-Dog-Dare You… | Rational Survivability

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s