Feeds

Easier to secure the cloud than your data center - IBMer

Really?

3 Big data security analytics techniques

Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future.

However, according to IBM CTO of Cloud Computing Harold Moss, clouds are nothing to be worried about from a security standpoint.

In a blog, IBMer Steve Hamm lays out Moss’s case. Here’s a taste:

“That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. ‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”

That statement got my attention like a slap across the face with a dead flounder. I’m not a security expert, and I’m not the right guy to assess what’s ‘enough’ security for every application or data set. But I am a business person with some technology expertise and experience, and I understand risk. It is damned hard to swallow the idea that my data and apps are more secure in the typical cloud of today.

However, the key phrase in the Moss quote is, “The cloud can actually be more secure,” and I agree with that. But as I’ll explain later, a solidly secure cloud isn’t so cloudy anymore.

Moss supports his assertion with three reasons, which I will assail individually and follow with a summary rant.

1. Companies that move stuff to the cloud will be more watchful and make sure that it’s well protected.

This is like arguing that leaving the doors of my house unlocked at night will make me safer because I’ll be listening more closely for intruders and my valuables are chained to the floor. To stretch the analogy, it’s more like moving to a bad neighborhood and relying on rent-a-cops to keep me and my stuff safe.

Moving processes to the cloud will have exactly the opposite effect that Moss claims. Deploying to the cloud will, I think, lead to complacency as the ‘out of sight, out of mind’ facet of human nature comes into play.

2. All clouds and cloud providers aren’t the same. Security mechanisms can be customized to the needs of the workload and customer.

This is true; you can certainly set up extremely rigorous security and be reasonably sure that your important data can’t be accessed by a talented high school kid, a web surfing competitor, or even a nation-state intent on ferreting out your new product specs.

But how far does the security customization go? Can you require your data to remain in your country? Will my data be encrypted? Are my apps and data comingled with stuff from other clients of yours? Does the provider do thorough background checks on their employees? Is the physical security of the building and the servers/storage solid – do the door locks work? What protection do I have if there is a security breach?

After you’ve answered these questions well enough to quell my fears, tell me exactly how much this will cost me.

One can argue that these requirements are more stringent than what most corporate data centers have in place now. But the laundry list of items I lay out above are all issues that can be reasonably addressed by even small organizations. Many issues, such as data locality and commingling of data, arise from the cloud model itself, and wouldn’t otherwise exist.

3. Third parties are likely to have better security than you do.

In this point, Moss isn’t saying that customers are security hicks (although many are). Rather, he’s saying that having lots of customers allows the provider to spread the cost of sophisticated security across a large base of clients, resulting in lower costs for all. I agree with this to a degree, particularly where smaller companies are concerned (as is pointed out in the IBM blog).

But doesn’t a big data center with oodles of important data present a nice target for hackers and other unsavory types? The argument here implies that the cloud vendor can invest in really good security mechanisms and use them for all clients. Is this the right approach? Did it make the right choices?

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.