One of the biggest remaining disparagers for moving company resources and data to a Public or Hosted Cloud is security. When critical corporate data resides outside of control of IT the entire business is at risk.
At the RSA conference last week, Microsoft and Google unified their response about the security of the Cloud during a panel, suggesting that companies need to get past their fear of the Cloud because it's "secure enough to use." Bruce Schneier, independent security expert, stated that one way to make the Cloud more secure is that vendors, like Microsoft and Google, simply need to build "strong bonds of trust" with customers. But, is trust really a security measure?
To me, this stinks of marketing more than meaning. Any company that has a Cloud service to sell, of course they are going to tell potential customers their offering is completely secure. What company in their right mind would say the opposite? It's easy for company sales teams relying on Cloud revenue streams to bolster sales bonuses to be a little too enthusiastic about the contents of the sale. I can't count the number of times I've seen and heard where a sales person boasts X or Y and then dumps it on the deployment engineer to state reality during implementation.
I'm sure you've heard it before, too…
"Your salesperson said it would do this."
"Yeah. It does, but…"
In the world of Cloud, I believe the word 'trust' is a dangerous term.
The fundamental problem with today's Cloud, is that security is based on what the Cloud vendor believes it should be. Yes, there are standards and standards groups set aside to help create a better security environment, but those are baselines. When you step back and take a broad look, security differs between businesses. Through experience, expertise, and policy, businesses take very different approaches to security and in many cases what's considered secure in one company isn't secure in another – sometimes even in the same business sector.
As vendors like Microsoft, Google, and Amazon build out their Cloud infrastructures and tack on better security through authentication and secure communication channels, they are completely forgetting the customer. Instead of pushing forward with what they believe is the best security available, they need to be working with the customer to determine actual requirements. It's another case where vendors are trying to force customers to work the way they believe it should work, like the vendors believe they know better how business should run. It's like going on a cross country trip to the Grand Canyon at 90 MPH, without any stops or restroom breaks, just to make good time (and, then of course, it's raining when you arrive). Cloud vendors want your company in the Cloud today, without any regard to your needs and your requirements.
As a potential Cloud customer, businesses need to go through a period of internal security policy review and then compare the company's requirements with what Cloud vendors currently offer. Many times companies are taking vendors at their word and jumping into the Cloud without realizing how far apart their security ideals really are. Companies need to steer clear of "just good enough" and make sure that any Cloud offering fits perfectly with corporate security policy.
And, even then, security still needs to come from inside the company. I envision a hardware appliance that sits in the local datacenter that negotiates authentication, response, and authorization for accessing data stored in the Public Cloud. This piece of hardware runs security software onsite that is controlled and managed by the local IT group based on security requirements. In this way, Cloud vendors only need to worry about developing data storage security, they no longer need to sift through the myriad of differences in company policies and try to come up with a blanket solution. Instead, policy comes from IT. IT develops and applies custom security for the business to the security appliance. It's much easier to trust a process and policy that has been scrutinized over and over by those employed by the company and who also face risk for getting it wrong. If Microsoft and Google get it wrong, they move on to the next customer. If IT gets it wrong, they end up looking for another job. So, there's a definite advantage and incentive for locally developed security to be exact and trustworthy.
So, I'm not sold on the statement that the Cloud is "secure enough to use" and I don't believe you should be, either. Definitely be careful and scrutinize every message you see about Cloud security. Compare it to your company's own policy, and if it doesn't fit exactly, remember who ultimately receives the blame if something goes wrong.
