/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsIt's clear that for many organisations, the security of cloud services is a real barrier to adoption. In fact, a recent survey of more than 300 CIOs found that 78per cent felt that security was the main thing holding them back from embracing cloud technology, and in particular, the public cloud.
Cloud adoption is on the increase, driven by elasticity, scalability and flexibility. IDC estimates the Indian Cloud market to be in the region of $535m in 2011, with a growth of more than 70 per cent expected for 2012 and almost 50 per cent growth forecasted for the next three years. But does that translate to sufficient security in the cloud?
I'm reminded of a regular mantra that peppers so many of my security presentations: the answer to the question of "how much security?" is "just enough." Of course, quantifying "just enough" takes a bit of work. Alas, with so many security checklists available, it's tempting to blindly follow someone else's advice-especially advice that just might happen to confirm existing prejudices. This is exactly the wrong thing to do.
A key point to remember is that many security decisions involve making some kind of tradeoff. To be secure in the cloud requires trading off one form of control for another. Traditional security controls are grounded in location: if you know where something is, and you can claim ownership of it, then it's probably secure. If you don't know where something is, and someone else appears to own it, then it's probably not secure.
In the cloud, location-based security as a concept falls apart. You can't pinpoint the exact location of your data (building, room, rack, unit, drive). And this is a good thing! Someone else is the steward of your data-someone who likely has a larger budget and more staff dedicated to protecting your data from outside attacks, from other customers, and even from the provider itself.
Does this mean that, to achieve the promised benefits of cloud computing, your tradeoff requires giving up all security?
No. The tradeoff you make requires changing your understanding ofcontrol. You give up the old model of location-based control and instead adopt a new one. This new model is built from service level agreements, auditable security standards, and technology for privacy plus integrity protection (that is, encryption plus digital signatures). You can retain control-and ownership-of the data even though you don't have control-or ownership-of the infrastructure.
In one respect, the model isn't so new: we use it already for connectivity. Where shared pipes (the Internet) have replaced dedicated pipes (leased lines), we rely on this very same model to keep data in transit secure. The model extends to compute and storage, as well.
However, there is another factor, one that I like to call a disinterested third party. Cloud providers don't know about the context of your data and how valuable it is to you. This can reduce insider threats a lot. But they do care about the safety of your data? Like street food vendors in Bangkok, who understand that their very livelihood depends on not killing their customers, cloud providers understand that it's in their own best interest to implement controls that enforce high degrees of separation between their administrative tasks and their customers' data. Plus, these controls also make the cloud a difficult platform for bad guys seeking to steal data or launch attacks.
Providers work to build massive scale with as much automation as possible: fewer humans mean fewer opportunities to make mistakes, which corresponds to a reduction in risk. Fundamentally, "how much security?" isn't the right question. Instead, ask yourself "how much risk?" Security decisions guided by sound risk assessment always strike the right balance and make the right trade-offs.
CIOs and CSOs, I urge you to get on the phone with your provider's CSO and ask about their risk mitigation strategies-the good ones are willing to share this information, because they know it's how they can win your trust. You'll probably discover that they've envisioned and mitigated risks you haven't even thought about.
Cloud computing solves a lot of problems really well. And it's maturing-compared to just a couple years ago, offerings are more diverse and flexible, coming from well-known and trusted companies. If cloud security is becoming good enough for a marked increase in adoption of cloud services by some, then it's probably becoming good enough for the rest of us, too?
(The author is marketing evangelist, APAC & Japan, Riverbed Technology)
Â