Earlier this week I traveled to Gartner's Security and Risk Management Summit to try to get a sense of what's at the top of information security managers' agendas in mid-2010, a time when (hopefully) many businesses are pulling out of recession mode and ramping up long-delayed security projects.
There's certainly more overall optimism than I've seen in some time, but my most surprising discovery was that security pros can't get enough of the cloud. For instance, as I wrote earlier this week, I couldn't help but notice how a large audience of security pros was captivated by two Google Enterprise desktop security case studies, even though neither one offered much talk about security.
During a case study presentation about secure Web gateways, one of the first questions from the audience was whether the speaker's organization had considered a cloud-based gateway. And in my one-on-one conversations with attendees, the cloud was consistently one of the first and most enthusiastic topics raised.
So my question is this: Have you all gone crazy?
I'm not sure why infosec's finest have suddenly become so enamored with the cloud. Maybe it's the promise of across-the-board cost savings for IT. Maybe it's the simplicity of having fewer in-house systems. Maybe it's the pipe dream of making security of the organization's data someone else's problem.
As a public service to you, our readers, I wanted to offer a brief, far-from-comprehensive reality check. For starters, it should be noted there's no such thing as standardizing security for the cloud, because there's no such thing as a standard cloud. Outsourcing infrastructure, platforms and software all require different security measures. There are hosted public clouds, private cloud, hybrid clouds, community clouds... you get the picture. With cloud security, there's no one-size-fits-all strategy.
There are many other more specific points worth considering. Here are a few:
- The risks of cloud computing outweigh the benefits, according to nearly half the respondents of a recent ISACA survey of 1,800 members; only 10% of respondents' organizations plan to use cloud computing for mission-critical IT services.
- The Cloud Security Alliance says there are seven high-level threats to cloud computing that span all service models, and organizations eager to jump into cloud computing often fail to properly assess the risks.
- There are still major questions about availability, backup, encryption, monitoring, incident response, and of course compliance, because enterprises are still required to remain compliant with the applicable regulations and laws when using cloud services.
During one particular conversation this week, a security pro gave me the sense that the acceptance of the cloud wasn't as much about security as it was about obscurity. If I'm outsourcing data alongside hundreds of other companies using the same service, if there is a breach, chances are someone else's data will make for a much more attractive target. Sadly, just because you're hiding your data under the same rock as everybody else, doesn't mean it's any less likely to be exposed.
Let me be clear, by no means am I anti-cloud. Clearly cloud-based services are proving their worth in many realms from CRM and ERP to managed messaging and collaboration to sheer processing power, just to name a few. The cloud will without question be a big part of the future of IT, and security teams should start thinking about how they would ensure secure use of cloud-based services, because eventually it'll be something virtually all organizations will have to do.
My point is you're supposed to be the skeptics, the ones who offer caution to their enterprise's decision makers about jumping head-first into a new technology implication, especially when the short- and long-term security implications are often unclear. This isn't the time for a role reversal.
So while the cloud may seem (dare I say) sexy, don't be so easily seduced by the allure of low-cost services and worry-free security. The bottom line is, when it comes to cloud security, we still don't know what we don't know.