Interesting blog post regarding cloud security from Microsoft Security Specialist Kai Axford. I’ve been spending about 60 hours a week in “the cloud” for the last couple of months and at least one person considers me an “expert” (me) in the area of cloud computing :)
Kai makes the point that perhaps the key security issue in cloud computing is “risk transference”, where the purchaser of a cloud computing solution is merely moving the responsibility for securing the data to the cloud provider, and assumedly, the cloud provider will incur the costs and associated after effects of a security breach.
It would be nice if that were the case, but in my exhaustive research of cloud computing concepts, offerings, and products over the last two months, I don’t see any cloud computing players, be they in the SaaS, PaaS or IaaS spaces who are ready to take the hit for you. They might rebate you for time lost on their system (based on an agreement regarding systems availability), but they will not incur any losses regarding lost data or more importantly for many businesses interested in cloud computing, the loss of brand equity.
Kai is correct that compliance auditing is going to be a major issue for the big cloud providers and the customers who use them. Amazon and Google are far from transparent regarding their software and hardware infrastructure. Try to get low level details on OS, platform and network security on these two cloud providers infrastructures and you’ll be turned away with your hat in your hand.
Until this situation is rectified, it’s unlikely that anyone will be willing to trust proprietary or regulated information to “the cloud”.
However, as I say that, I think of the number of large companies who are willing to trust the information stored in their corporate email to cloud providers such as Google and Microsoft. How do these companies pass regulatory muster? Perhaps there hasn’t been a test case yet, but when that day comes, the complexion of cloud computing and security may change and with arguably unexpected results.
There are a lot of barriers to cloud computing, with regulatory compliance and risk assignment just being two of those issues. Sure, there are providers such as IBM who promote cloud computing concepts who will be able to easily pass regulatory audits, but that’s because their main focus is to suck your organization into the arms of IBM Global Services so that they can take over a piece of your infrastructure and deploy it on their own hardware and software platform environment in a “private cloud” that they manage for you and it sits next to your corporate infrastructure on your campus, hardly the vision of cloud computing being promoted in the media today.
Of course, I’m ignoring the LotusLive SaaS offering from IBM here, but I don’t think IBM sees LotusLive as being the cash cow that IBM Global Services cloud consulting services is envisioned to be.
For Kai’s take on cloud computing and risk transference, check out his article at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer