The Cloud Security Paradox
Jim Harris in Sponsored Blog Posts tagged Best of 2011, Cloud, Data Security, Enterprise CIO Forum, HP Monday, October 17, 2011 at 1:00PM This blog post is sponsored by the Enterprise CIO Forum and HP.
Nowadays it seems like any discussion about enterprise security inevitably becomes a discussion about cloud security. Last week, as I was listening to John Dodge and Bob Gourley discuss recent top cloud security tweets on Enterprise CIO Forum Radio, the story that caught my attention was the Network World article by Christine Burns, part of a six-part series on cloud computing, which had a provocative title declaring that public cloud security remains Mission Impossible.
“Cloud security vendors and cloud services providers have a long way to go,” Burns wrote, “before enterprise customers will be able to find a comfort zone in the public cloud, or even in a public/private hybrid deployment.” Although I agree with Burns, and I highly recommend reading her entire excellent article, I have always been puzzled by debates over cloud security.
A common opinion is that cloud-based solutions are fundamentally less secure than on-premises solutions. Some critics even suggest cloud-based solutions can never be secure. I don’t agree with either opinion because to me it’s all a matter of perspective.
Let’s imagine that I am a cloud-based service provider selling solutions leveraging my own on-premises resources, meaning that I own and operate all of the technology infrastructure within the walls of my one corporate office. Let’s also imagine that in addition to the public cloud solution that I sell to my customers, I have built a private cloud solution for some of my employees (e.g., salespeople in the field), and that I also have other on-premises systems (e.g., accounting) not connected to any cloud.
Since all of my solutions are leveraging the exact same technology infrastructure, if it is impossible to secure my public cloud, then it logically follows that not only is it impossible to secure my private cloud, but it is also impossible to secure my on-premises systems as well. Therefore, all of my security must be Mission Impossible. I refer to this as the Cloud Security Paradox.
Some of you will argue that my scenario was oversimplified, since most cloud-based solutions, whether public or private, may include technology infrastructure that is not under my control, and may be accessed using devices that are not under my control.
Although those are valid security concerns, they are not limited to—nor were they created by—cloud computing, because with the prevalence of smart phones and other mobile devices, those security concerns exist for entirely on-premises solutions as well.
In my opinion, cloud-based versus on-premises, public cloud versus private cloud, and customer access versus employee access, are all oversimplified arguments. Regardless of the implementation strategy, technology infrastructure and especially your data needs to be secured wherever it is, however it is accessed, and with the appropriate levels of control over who can access what.
Fundamentally, the real problem is a lack of well-defined, well-implemented, and well-enforced security practices. As Burns rightfully points out, a significant challenge with cloud-based solutions is that “public cloud providers are notoriously unwilling to provide good levels of visibility into their underlying security practices.”
However, when the cost savings and convenience of cloud-based solutions are accepted without a detailed security assessment, that is not a fundamental flaw of cloud computing—that is simply a bad business decision.
Let’s stop blaming poor enterprise security practices on the adoption of cloud computing.
This blog post is sponsored by the Enterprise CIO Forum and HP.
Related Posts
The Good, the Bad, and the Secure
Securing your Digital Fortress
Shadow IT and the New Prometheus
Are Cloud Providers the Bounty Hunters of IT?
The Diderot Effect of New Technology
The IT Consumerization Conundrum
The IT Prime Directive of Business First Contact
A Sadie Hawkins Dance of Business Transformation
Are Applications the La Brea Tar Pits for Data?
Why does the sun never set on legacy applications?
The IT Pendulum and the Federated Future of IT
Reader Comments (3)
I think you are spot on. One of the points I try to make to people is that they have been using "things controlled by others" and "multi-tenant systems" for many years (a.k.a, Hosted Service Providers).
The fact is that you have to design/architect security for the technology that you choose, then implement it correctly. No technology is completely insecurable, just as nothing is completely securable.
Just look at the data breach reports, how many breaches were related to the "insecurable cloud" (none) and how many because of poor system administration or design (most).
Again, nice article. In total agreement.
Phil
Thanks Jim. One of the interesting points here is how ‘security’ means different things to different people. In terms of the cloud, I prefer to split ‘security’ up into ‘safety’ and ‘privacy’, as the pros and cons of cloud storage are quite different for each, and in fact form a second paradox.
For data safety, I would argue that a well-structured, cloud-based solution will be at least as good as an in-house model, and probably far superior. If your data is being replicated across multiple nodes in multiple locations, nothing short of complete loss of internet access will impact availability, and that scenario would typically impact local access as well. While recent service interruptions with Amazon’s EC2 service have scared a lot of potential businesses, it was Amazon’s implementation of the model which failed, not the model itself (if memory serves, they had located their backup nodes too close to their primary, resulting in both being taken down by a single lightning strike).
Data privacy, however, is where cloud security gets interesting. In the same way data safety increases with multiple nodes spread across multiple sites, all things being equal data privacy decreases at the same rate. For example, if your corporate data was being replicated across nodes in US, Europe and Asia, the privacy of your data is the lowest common denominator of the processes of each site, combined with the nuances of local privacy laws and practices etc.
On top of that, it’s important to remember cloud vendors have a financial incentive to keep your privacy at the lowest level their customer base will tolerate. Reducing privacy levels will reduce their internal process cost, and reduce storage space by storing a single copy of any identical files across multiple clients (deduping). The business models of many cloud vendors only make sense on the basis of these practices, both of which present a privacy risk; worse, the financial benefit to the vendor will increase as their client base grows.
As cloud customers, the crucial weapon we have is of course client-side encryption. Services like Dropbox etc. love to tell us not to worry because our data is completely private*… until you follow that little asterisk and find out they can access your files if the government asks them to, and for the purposes of deduping. The dirty little secret of course is if they can decrypt your data for the government, an administrator could decrypt it for a competitor.
It’s only a matter of time before there’s a highly public breakdown in vendor-side encryption model. Long term, I expect to see an increase in premium, client-side encryption services targeted at corporate clients. To me, this will offer the best of both worlds, and will benefit both vendors and their clients.
Read this great related article written by Paul Wallis on the OBASHI Think Blog: Security: Cloud vs. On-premises