This will be the first of a number of op-ed pieces on the security landscape of cloud computing. Security is often quoted as one of the main reason people back away from embracing the cloud. This I believe is often due to a combination of an over estimation of how secure their current arrangements are and a lack of knowledge about how secure the cloud CAN be. In this last regard the cloud is nothing special, like every other application, database or service its security is largely dependant on how it is used and configured and not its inherent capabilities.
As a step in gaining an understanding of the subject lets break the security landscape down into a number of arenas and look at how a classical on premise data centre, compares with an IaaS based cloud offering. This analysis can be extended to other scenarios but this is an informative example.
The physical arena, covers a direct attack on the equipment. If someone can actually walk up and touch the server then generally you have already lost. Encryption can help but that is very much a silver lining.
- Home Data Centre :- In a small regional facility with limited physical security as all the cost of security is borne by a single operator.
- Cloud IaaS:- Most likely state of the art security and a dedicated physical security team. Total cost of all security is borne across ALL the global clients of the provider.
‘Pipes’ arena, (apologies for the badly overused phrase), data and applications on a server are useless unless people can connect into them. This arena covers everything between the users device and the login screen.
- Home Data Centre:- Physical links into main offices, extremely secure provision of service to everyone at a desk. Mobile access has potentially been bolted on and is an increasingly overused tactical fix as the strategic solution is yet to be implemented.
- Cloud IaaS:- Mobile and Office users are in the same boat, you can’t have a tactical solution here and must expend the time and resources needed to create a fully secure strategic solution.
This is where the CAN statement comes in, a Cloud based solution could be offer greater security than your home solution but only if it is build correctly.
Applications arena, this is a non score draw scenario as its the same applications in both locations. However this is an important arena as using other types of cloud solution such as SaaS and PaaS mean very different applications between the cloud and non cloud based services.
So I saved the best till last the users arena, again this is a no score draw between the two offerings as its the same users using the applications no matter where they are hosted. However it is worth thinking long and hard about how, where and on what users are working.
User arena security items are probably far bigger weak points then any other aspect of security in the modern environment. Sophisticated technology based attacks using zero day exploits make the news and are currently beating nation state security, but for everyone of these attacks there are hundreds based on social attacks on users. It doesn't matter how complex and complete the lock is if someone can borrow a key.
A move to the cloud offers many benefits and can generally be made as secure as current on premise solutions. Focus should be spent on ensuring the your VPN, mobile and remote technology solutions are geared up to handle the increased traffic and are fully thought out strategic choices. However conversation on “how secure the cloud is” are great starting points to re-engage the business in the day to day activities and practices that make your data and applications stay secure independent of where they are delivered from.