Previously, I discussed the myth that “their stuff is more risky than our stuff.” A couple weeks ago, I saw this article in eWeek, “Cloud Security Remains Top Business Worry.” I felt that it warranted a post as another cloud myth, basically a corollary to “their stuff is more risky than our stuff.”
The eWeek article reports on Symantec’s 2011 State of the Cloud survey. The survey, unsurprisingly, reports that security was rated the top concern for those considering a move to “the cloud.” Why “unsurprisingly?” Well, because security has been a top concern of those moving to “the cloud” ever since people started mentioning “the cloud” in the first place. That’s because IT security is a very valid concern whether you’re going to use the cloud or not. After reading the eWeek article, my response was basically, “Well, duh,” with an appropriate rolling of my eyeballs.
There is so much ambiguity in what “security” means to different people that it allows the word to get used like a monster under the bed to sow FUD. When you say “security,” do you mean data privacy, whether for data in flight or data at rest? Do you mean data retention? Do you mean avoiding denial of service? Do you mean unauthorized access? Etc., etc. The natural reaction is to just reply with “Yes. All of that. And more.”
The assumption at work here is, again, that “their stuff is more risky than our stuff.” Our internal security is great, and if we move something to the cloud, it might not be. While it’s true that it might not be, that doesn’t mean that it won’t be. If your organization hires top-notch security personnel and you are absolutely diligent about every security best-practice, then maybe the folks at your cloud service provider will not measure up. If you like to work with second-rate cloud service providers who don’t hire security experts, then maybe their security will be shoddy. Yes, you’ll definitely want to ask a series of security-related questions when you choose your cloud provider. But as you select your providers, try to keep yourself in the realm of healthy paranoia and out of the realm of mere FUD.
I’ll give you two anecdotes to make the point. Be careful about drawing definitive guidance from anecdotes, but take note of the larger themes here.
The first anecdote is a conversation I had with a CTO at a major bank. He said, flat out, “The people in this bank who are pushing back on cloud computing because of security concerns simply don’t understand how poor our internal security really is. Frankly, moving to the cloud would be a step up.” That set me back on my heels. The upshot was, even though he had this huge IT organization that hired a multitude of security personnel, he still didn’t feel that he was as secure as he could be internally. And this was a bank, who because of financial regulations and numerous best industry practices has a healthy respect for IT security. This CTO felt that there were so many groups, so many exceptions, so much going on, that there were still gaps. By off-loading some of this to a more disciplined organization that would be paid directly on whether things were kept secure, with a written SLA, he felt that security would actually go up. Did that mean he felt that cloud security was perfect or that he wasn’t worried about it? Heck, no. He was very concerned about it. But he felt that just because his organization employed a lot of security people, that wasn’t the same thing as a secure internal IT operation or that external providers couldn’t be more secure. In short, he didn’t fall for the “their stuff is more risky than our stuff” myth.
The second anecdote is from a friend of mine who is starting a small business. He’s not a ServiceMesh client, but he was thinking about how to set up his accounting system and wanted some advice on whether he should do it “in the cloud” or with local software installed on his laptop. Without me prompting, he said that he was leaning towards putting it in the cloud because there he could rely on the service provider for reliable backups and he wouldn’t have to worry about fire or even theft of his laptop. He asked what I thought of the risk that somebody would compromise his data (“hackers”)? I told him I agreed with is assessment and that he probably had more chance of getting his laptop stolen while getting a coffee refill at Starbucks than he did having his data getting “hacked.”
In short, don’t fall victim to the security monster under the bed. That’s just FUD and it has no place in your thinking. Keep your head clear when thinking through cloud security. Security is a valid concern. There are real dangers there, and you’ll need to do your research and understand what your cloud service provider is really offering you and what they are willing to stand behind. But honestly, you should be asking the same questions of your internal IT group.
Feel free to reach out to ServiceMesh for advice and assistance. We work with global companies on a daily basis. We have developed a comprehensive set of security solutions for hybrid cloud environments and we can enforce a variety of security measures through the policy and governance features of the Agility Platform. We can help you, too.
Latest Tweets
