Security of the Cloud?

Perception is at least 9 tenths of the law. In Information Security it’s more like 11 tenths. Information Security in the Cloud is an evolving subject. The main providers are gaining client confidence. Vendors are moving quickly to take advantage, but concerns over security are holding people back from gaining these benefits.

Companies are right to be circumspect but before writing off the Cloud as too scary, execs should ask just how secure their data is right now. Can the company do a better job that say Amazon? On average will the company mess up more or less times than say Microsoft or IBM? Will a global player have more or less experience based on hosting thousands of companies?

The average company has to decide their strategy with an eye to threat level but also practicality. The likes of Google, Microsoft and Amazon, whatever you may think of them have to define their threat level as extremely high. As such, the measures they take could go way beyond those of the average company. We also shouldn’t assume large companies do security well. Examples in recent years have shown that very clearly.

When considering security, Cloud may sound scary.However, the idea of data being somehow further away and less controlled or secure is potentially fallacious.

The IT capabilities of companies will vary greatly. Some will have huge expertise and sufficient staff numbers to dedicate to the security of the organization’s data. Some people will make it their life’s endeavour to keep one step ahead of known threats. In an ideal world the security team will be well managed, well funded, motivated, hold stake holder positions on all the right committees and be empowered to get critical things done and veto risky changes. Of course this may not always be the case.

Small companies may well do security better (subjective definition) than large companies.

What of companies with IT departments that run into the hundreds or thousands of people? Is it ever really possible to maintain standards? When a lot of people, systems and suppliers are involved, things can go wrong. Vulnerabilities can arise. You may think you’re secure, but how do you know? Or when will you know you’re not? The stealthy, focussed hacker may not attract attention for some time.

Diligent companies will of course employ a range of methods to protect and check themselves; secure design of code/infrastructure, IDS, AV, firewalls, external red teams etc. But then budget and practicality can over shadow the ideal. Security can get brushed aside without fully understanding the implications. And the ideal is never perfect. If you think you’re totally secure, you’re probably over confident.

Going the full distance with an armoury of diverse measures can be extremely expensive and time consuming. Especially in a large infrastructure. Compromises get made. Risks get assessed and working execs have to balance perception of risk against spend. Effectively; can I justify the platinum plated solution if I don’t think the risk is that high? Not an easy decision for any working CIO. And if they’re not fully informed or don’t have the security background themselves, it may be difficult to make risk assessments. Even if security sits with Head of Risk, the same problem applies. Unless you’re well informed, you don’t know what you don’t know. This is one to be paranoid about and make a very careful leadership appointments.

Even with a vast range of measures, human error can be the weak link, especially in companies that are changing quickly or may be in some form of internal crisis. Indeed, rapid growth can lead to holes in the eco-system.

Give the Cloud a realistic security evaluation. The main providers have significant talent pools and massive resources to manage risk. They can very possibly build stronger defences and when an issue does arise, respond more quickly– their reputation is at stake. There have of course been some famous issues, but it’s all about perspective. In context, has a cloud provider had an unreasonable number of issues when measured across everything they host?

The financial and flexibility benefits of the Cloud mean companies who want to get ahead should periodically re-evaluate their criteria used to decide where to host and their view on security needs. Without critical analysis of what’s needed and what’s possible, Cloud benefits may remain elusive.

Fundamentally, security responsibility cannot be abdicated to a Cloud provider or indeed an internal team. The buck should still stop with the CIO/Head of Risk. So the question is not, can I make security a Cloud company problem, it’s can I do security better if I have services in the Cloud?