Cloud Security

Where I work we have several cloud based applications in use by the workforce. About 18 months ago, we were involved in some discussions about cloud security and in that conversation, it was mentioned by one of our security experts that an organization’s information might very well be more secure in the cloud than on premises in the data center. Two weeks ago, I had another conversation with two outside security experts and when I shared that same thought, they both agreed. That made three serious security experts who felt things might be more secure in the cloud rather than on premises.

This is not the commonly held thought by many.

The reason these experts felt things might be more secure in the cloud is that the cloud vendor likely has far more expertise and equipment online to protect your information than a company can afford to put in place to protect that same information in their own data center. Yes, in the data center your email or whatever is protected by your firewalls and whatever detection tools you have in place and it is protected by your administrators who you trust.  But likely you only have 2-3-4 security experts doing the work where the cloud vendor might have 200-300 experts doing the same thing. Furthermore, the vendor has their reputation and their business model based on their security being solid, i.e. it is critical that they keep it secure.

An enterprise, organization, company, school or business has thousands of things to protect and likely only a handful of people dedicated to that protection.  Quite probably its internal security is not as good as it thinks and there are risks to that internally hosted information that are not fully appreciated.

Clearly there are security issues with both approaches and nothing is perfect, but these thoughts are certainly interesting.

Would love to hear your opinion.

4 thoughts on “Cloud Security”

  1. Mark,

    While I agree that the controls employed by the cloud providers are going to be typically better than the controls employed by individuals hosting their own infrastructure, I think crytographic controls are needed to properly secure the data in the cloud. Host-proof encryption generally solves a lot of problems around data sovereignty. Encrypting the data, retaining the key and moving the data to the public cloud could basically address a lot of the confidentiality concerns.

    Most cloud vendors don’t provide any type of cryptographic controls. There are some specialized cloud platforms, mostly in-use by legal industry, that do provide very limited cryptographic controls. They encrypt all the data for the user. However, in order to perform server side processing on the data, these vendors retain a copy of the decryption keys. This creates key management overhead for the provider, and leaves the customers wondering if the keys are being properly managed and secured. To address this, researchers at IBM and Microsoft are working on Fully Homomorphic encryption scheme which will allow these cloud vendors to process the data in its encrypted form, thus removing the need for the cloud provider to retain a copy of the decryption key. While still in a prototype stage, and extremely slow, homomorphic encryption has the potential for addressing lot of data sovereignty issues.

    Saqib

  2. Mark,

    I think comparing cloud security to in-house security involves a “sliding scale” for comparison. On one end of the scale are banking, insurance and financial services firms that have had to build in-house security competency for years, especially the last 15 years with the growth of the Internet. Financial firms that have developed mature security programs for evaluating and assigning controls to projects and products bring a level of in-house business, customer, data and partner relationship knowledge that a cloud provider just can’t offer today (yet?). PCI has pushed large retailers into having to pay more attention to security than prior, but not to the level of heavily regulated financial services firms. The bleed over effect of having to staff or contract for security expertise for PCI functions increases the overall security awareness throughout the rest of the company. Thus consider retailers in the middle. At the low security investment end of the scale would be the construction and manufacturing industries where security is an afterthought with everyone trying to do the right thing, but traditional IT delivery pressures and low IT staffing making it next to impossible to implement any strong security solutions.

    Thus, with the above scale, my opinion at this point in time is that cloud providers are less “secure” than financial services firms given the lack of real understanding of how their cloud services are being used to delivery products and services. Outsourcing security to a cloud provider for these firms means an extra level of due diligence around cloud provider security posture to get comfort plus digging into the multi-tennant challenges that make cloud price competative. Multi-tennant can be challenging to security if architectually there is less logical/physical separation of technical flows and data.

    Cloud = less secure overall for financial services firms

    I would continue to venture to say that PCI compliant cloud providers would be on par with major retailers. For cloud providers to be “PCI DSS compliant” they must implement the perscriptive PCI dictated requirements.

    Cloud = on par with security of PCI compliant companies

    Finally, keeping with the sliding scale, construction and manufacturing companies are most likely less secure that what a cloud provider has adopted security-wise. Thus, it maybe the most attractive for such firms to look to cloud adoption due to the potential cost benefits as well as the added security. The core ERP package must be cloud-condusive. The challenge will be how much has the company’s ERP package been updated as well as how much has it been customized. For firms that are running unsupported, heaviliy customized ERP packages may find the inability to easily transition to cloud offerings. Firms concerned about security have some tough personell and financial decisions to make surrounding achieving the benefits of cloud ERP-ish offerings.

    In summary, I think the sliding scale by industrial sector helps better quantify the security benefits of the cloud compared to in-house offerings.

    BTW, Mark, thanks for adding my blog to your blog role.

  3. Saqib, thanks for your post and I agree with your comments. Users need to have a simple (and transparent and automatic) way to encrypt data going into a cloud storage system (like Drop Box) and then have it decrypted upon the return in the same simple manner. I’m going to follow-up on your references. Thanks for stopping by. Mark

  4. John, great analysis. I agree that there is range of capability at the end user organization level and your analysis makes good sense. Thanks for sharing. I’ve been on one end of the spectrum only and haven’t seen the other end.
    Thanks for stopping by, Mark

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s