“I speak to many in traditional IT that I call the “folded arms gang.” These are IT executives who need to address the use of cloud computing — typically because the CEO or their board of directors is demanding it — but feel that cloud computing still has too many shortcomings. They want to hear about cloud computing, but they don’t believe in its use.
The good news is that the “folded arms gang” has lost many members as cloud computing proves its value. However, the argument around security and privacy issues in the cloud still comes up often. While there is a certain amount of emotion, and sometimes politics, at play, you must educate those in enterprise IT around the real issues and the real risks. Indeed, I’ve been finding that clouds are more secure than traditional systems, generally speaking. Control does not mean security.
According to Alert Logic’s Fall 2012 State of Cloud Security Report, the variations in threat activity are not as important as where the infrastructure is located. Anything that can be possibly accessed from outside — whether enterprise or cloud — has equal chances of being attacked, because attacks are opportunistic in nature.
The report further finds that Web application-based attacks hit both service provider environments (53% of organizations) and on-premises environments (44%). However, on-premises environment users or customers actually suffer more incidents than those of service provider environments. On-premises environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8. On-premises environment users also suffered significantly more brute force attacks compared to their counterparts.
Clearly, there are myths that cloud computing is inherently less secure than traditional approaches. The paranoia is due largely to the fact that the approach itself feels insecure, with your data stored on servers and systems you don’t own or control.
However, control does not mean security. As we’ve discovered in this report, and in incidences over the last several years, the physical location of your data matters less than the means of access. This is the case for both cloud-based systems and traditional enterprise computing. Moreover, those who build cloud-based platforms for enterprises typically focus more on securityand governance than those who build systems that will exist inside firewalls.
Systems built without the same rigor around security won’t be as secure, whether they are cloud or not. So, the best practice here is to focus on a well-defined and executed security strategy with the right enabling technology. Don’t focus as much on the platform.
The guidance I typically provide includes three steps:
- Understand your security and governance requirements for a specific system and/or data store. Many of those who deploy security around cloud or traditional systems don’t understand what problems they are attempting to solve. You need to define those up front.
- Understand that controlling access is much more important than the location of the data. Look at how the data is accessed, and look specifically at opportunities to breach. Again, most of the data breaches occur around finding vulnerability, no matter if it’s cloud-based or on-premises.
- Finally, vulnerability testing is an absolute necessity, no matter if you’re testing the security of cloud-based or traditional systems. Untested systems are unsecured systems.
I suspect that we’ll think differently around security and the cloud as we deploy more public cloud-based systems and data stores and the world does not come to an end. However, without the right amount of planning and good technology, cloud-based platforms can become risky. Same goes for your existing enterprise systems. No free lunch here.”
David S. Linthicum
