Question: As the cloud model of IT service delivery matures, have the security standards and technologies kept up?
Cloud Computing has already fundamentally changed the way consumers and small businesses use the Internet. However, as with any new technology model there are going to be some hurdles to overcome before universal acceptance. According to a 2010 Kelton Research survey of 537 IT and business executives, security concerns were the top reasons cited for not adopting cloud technology. Two recent survey articles on cloud security offer some insights on the differences of opinion about cloud security within the cloud technology community. While the two articles cover much of the same materials, Blumenthal’s Is Security Lost in the Clouds?, takes a considerably more pessimistic view of the ability of existing technology to address the problem than Bisong, A., & Rahman, S. M.in their Overview of the Security Concerns in Enterprise Cloud Computing.
Bisong and Rahman suggest that if the cloud implementation properly follows IT industry best practices, securing the cloud is primarily a technical problem that can be easily addressed. Their overall message is that cloud security is nothing to worry about and the existing technology and services are more than adequate for the task of protecting enterprise data in the cloud. They spend relatively little time discussing how to quantify the many complexities of the legal, operational, business and technical risks of a cloud computing implementation. They barely mention the problem of cloud ownership and who is responsible for maintaining the integrity and privacy of data in the cloud, concerns I have discussed extensively in the past. While there have been improvements in cloud security –the work of the Cloud Security Alliance is particularly noteworthy– there is still plenty of room for more innovation. There must be a fundamental shift of thinking about cloud security before IT executive fears can be permanently assuaged
On the other end of the spectrum, Blumenthal is clearly more paranoid. She postulates some additional threats unique to the cloud environment, such as clouds as hacker fronts she terms “hacking as a service” and clouds as havens for illegal activities. She digs into not only the technical security issues, but she addresses the potential business risks by discussing the cloud strategy tradeoffs of giving up autonomy in return for lower costs and elasticity. While she agrees that there are great advantages to moving enterprise applications to the cloud, she cautions the reader to note that once all the proper safe guards are implemented, the “apparent economic advantages of the public cloud” might well be eroded. She advises the enterprise that is considering moving their IT applications into the cloud to fully analyze the risks and move carefully.
Figure 1: Diagram of Cloud Security Risks
In conclusion, network security people generally tend to be a paranoid group and both articles clearly spell out the many dangers inherent in moving the enterprise to public cloud architectures. However, in comparing the two articles it is clear that Blumenthal is far more knowledgeable about not only the technical issues but the overall complexities of delivering secure enterprise cloud services that meet the business requirements for risk mitigation. I would trust her conclusions that the inherent insecurity of cloud services has not been properly addressed by the community or the vendors yet.
About the Author
Beth Cohen, Cloud Technology Partners, Inc. Moving companies’ IT services into the cloud the right way, the first time!