David Linthicum on Cloud Security

David Linthicum is a well-regarded thought leader in the cloud computing arena.
His post below from GigaOm Pro address the “cloud security” issue straight-on — and clearly outlines the data and rationale for why public cloud services are often MORE SECURE than enterprise networks.
Emphasis in red added by me.
Brian Wood, VP Marketing

Security: Getting to the truth in the enterprise vs. public cloud debate

It’s a hotly debated question: Which is better, security within the public clouds or security within traditional enterprise systems?
Some in IT argue that the widely distributed nature of cloud computing makes public clouds much more risky in terms of security threats. However, over the last several years, many breaches were around traditional systems, not public clouds.
The counter to that argument is that there are many more systems in corporate-owned data centers than on the public clouds. Moreover, most security breaches have been simple screw-ups, such as laptops being stolen out of car, to newly fired employees walking off with gigabytes of data on USB drives.
As we move forward with public cloud computing, we’re gathering some real data around the real security issues as enterprises consider cloud computing. Perhaps the larger question should be, Is our data safer in the enterprise, or within public clouds?
You can count on the answer being complex.
According to Alert Logic’s Fall 2012 “State of the Cloud Security” report, the variations in the threat activity are not as important as where the infrastructure is located.  The report finds that anything that can be possibly accessed from outside, whether enterprise or cloud, has equal chances of being attacked because attacks are opportunistic in nature.
The report further finds that web application-based attacks hit both service provider environments (53 percent of organizations) and on-premise environments (44 percent of organizations). However, on-premise environment users or customers actually suffer more incidents than those of service provider environments. On-premise environment users experience an average of 61.4 attacks while service provider environment customers averaged only with 27.8. On-premise environment users also suffered significantly more brute force attacks compared to their counterparts (see Figure 1).

Figure 1: While this is a complex issue, it seems that, in some instances, cloud computing actually provides better security (Source: Alert Logic).

What’s more interesting about this data? There are myths out there that cloud computing is inherently less secure than traditional approaches. This is due largely to the fact that, just the approach itself, where your data is stored on servers and systems you don’t own or control, feels insecure.
Control does not mean security, as we’ve discovered through incidences over the last several years. Where your data exists matters less than the ways your data can be accessed. This is the case for both cloud-based systems, and traditional enterprise computing.
The path to security in the cloud is not much different than the path to security for internal systems. The reason many cloud-based systems seem to actually do better in these studies is that more planning and technology typically goes into securing public cloud-based systems because everyone assumes that security will be an issue. Internal systems may not get the same amount of planning and resources, and thus they can actually be more vulnerable.
For many, this data and future analysis of cloud versus enterprise security won’t make much difference in their confidence about public cloud security. This, despite data that shows, in many instances, there is a clear agility, efficiency, and cost benefit to migrating specific applications to the public cloud. Eventually they will follow the crowd, but it will take awhile for that to occur.
All things considered, enterprises considering cloud computing should follow a well-defined path to secure clouds:

  • Understand your security and governance requirements for a specific system and/or data store. While you can create enterprise-wide strategies that encompass many different systems, it’s a much better approach to consider each system as separate and distinct.
  • Understand that controlling access is much more important than the location of the data. Identity-based security systems seem to be a good fit for cloud-based systems. However, you need to consider your own security and compliance requirements.
  • Vulnerability testing is an absolute necessity. It doesn’t matter if you’re testing the security of cloud-based or traditional systems.

The assumption that public clouds are always less secure is something that will take time and new data to dispel. As the more innovative enterprises find success in the public cloud, and that success proves to be an obvious business advantage, the laggards will certainly follow.

Would love your thoughts, please comment.x