Public cloud computing carries with it great promise and great risk. Enterprises are hesitant to get on board, despite continuous advice last year from industry experts to embrace it rather than ban it. Departments and divisions are provisioning their own IT services from the cloud with a credit card — a shadow process that in itself is a risk.
I’ve used the WikiLeaks episode in this blog as a jumping-off point to explore risk in the public cloud, and I now see that it’s just the tip of the iceberg. There’s a lot more under the surface.
The public cloud is nothing if not complex, and “complexity is the enemy of security,” said Steve MacLellan, senior vice president for Enterprise Architecture Financial Services at the Fidelity Technology Group in Boston. That complexity is one reason why the buzz at the start of 2011 has been all about the private cloud.
Well, maybe not all. The public cloud is here, it’s huge and it’s not going away. Hence, organizations that invest the time, money and personnel into building a private cloud are still going to have to grapple with a public cloud strategy, according to Rich Mogull, analyst and CEO at Securosis LLC in Phoenix, and half of the Cloud Security Alliance’s (CSA) Editorial Working Group.
“The biggest risk at the enterprise level is losing control through lack of a cloud strategy,” Mogull said. “We know of organizations that didn’t have policies or controls in place and found themselves with extremely important and sensitive data stored in a weakly secured cloud service.”
Working with the CSA, Mogull is responsible for guidance standards and overall coherence of guidance documents. In other words, he helps make a complex issue less so. It’s no easy task. In developing a list of the top 10 threats to enterprises for SearchCIO.com, I’ve come across dozens of public cloud computing risks in lists compiled by senior executives like Fidelity’s MacLellan and by global organizations like ENISA, the European Network and Information Security Agency. The threats are like trees with branches and buds.
The CSA has been at the forefront of this thinking. The group released guidance on securing the public cloud last year that is being used by corporations around the world. Last September the group invited people to comment on its guidance for an upcoming Version 2.0.
The CSA’s thinking, IMHO, is sublime: Whereas many of the top threat lists roughly match up along such topical areas as security, availability and liability, the CSA’s list indicates that the WikiLeaks episode is a fair reference to risk in the public cloud, especially considering the distributed denial-of-service attacks that followed:
- Abuse and nefarious use of cloud computing.
- Insecure interfaces and APIs.
- Malicious insiders.
- Shared technology issues.
- Data loss or leakage.
- Account or service hijacking.
- Unknown risk profile.
We’ll be looking at the various public cloud computing risks — and mitigation strategies — on SearchCIO.com in the coming weeks. As much as a CIO might wish otherwise, the public cloud is complex, inherently risky and here to stay. But chin up: Defenses against those threats can be more robust, scalable and cost-effective.
In an effort to get enterprises swiftly and safely on board, the CSA will be running a one-day workshop as part of the RSA Security Conference in San Francisco on Feb. 13. Attendees will get a discount on the test for a Certificate of Cloud Security Knowledge, the first of its kind.