Thursday, August 6, 2009

Security: Cloud Computing: Who do you trust?

A colleague sent me the link to a post about security and Cloud computing. The issue at hand is how can you trust your data to the Cloud.

Some snippets and my comments below.
Schneier on Security: Cloud Computing:
"But, hype aside, cloud computing is nothing new . . . Any IT outsourcing -- network infrastructure, security monitoring, remote hosting -- is a form of cloud computing."
But what about security? Isn't it more dangerous to have your email on Hotmail's servers, your spreadsheets on Google's, your personal conversations on Facebook's, and your company's sales prospects on's? Well, yes and no.
Yes and No. There are significant differences between Hotmail, Facebook and Salesforce. As for sales prospects being valuable information. Sorry that doesn't pass the laugh test for me in a world Google Search, twitter, etc. etc.
IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors -- and your ISP. Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. We've spent decades dealing with worms and rootkits that target software vulnerabilities. We've worried about infected chips. But in the end, we have no choice but to blindly trust the security of the IT providers we use.
Lost me with "blindly trust." It's much too risky either in the enterprise or outside the enterprise.
Saas moves the trust boundary out one step further -- you now have to also trust your software service vendors -- but it doesn't fundamentally change anything. It's just another vendor we need to trust.

Instead of vendor it might be more useful to think of it as a functionality that lives in it's own world of resources that makes it's decisions on this basis of benefits and risks to itself. If you've ever tried to get an internal IT department to focus on the business goals of an enterprise you probably know what I mean. The error is to think that money can buy you trust. It can't.

There is one critical difference. When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs.

Given the security breaches in many organizations, my responses is yes and no. Viruses mutate every day. Once a computer system is the focus of interest, it's a never ending struggle. They mutate, you do a response. You build a stronger wall. They build a more effective attack. Such is life.

You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can't. You have to trust your outsourcer completely. You not only have to trust the outsourcer's security, but its reliability, its availability, and its business continuity.

I'm not sure about "the resilient systems that . " But "trust your outsourcer completely" is spot on. It also means you have to trust your IT department completely.

You don't want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt . You don't want the company you're using to be sold to your direct competitor. You don't want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren't as drastic.
100% yes. That's why I think the safest choice is Amazon/ Google/Salesforce or IBM. If they screw up security they are out of business. The brand damage would be enormous. Since they all have a very good track record of being successful growing businesses the chances of them continuing in that direction is pretty good.

The issue is a clear evaluation of the risks. Only then is it possible to have a useful discussion about the benefits.

1 comment:

  1. I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.