Easier to secure the cloud than your data center - IBMer
Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future.
However, according to IBM CTO of Cloud Computing Harold Moss, clouds are nothing to be worried about from a security standpoint.
In a blog, IBMer Steve Hamm lays out Moss’s case. Here’s a taste:
“That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. ‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”
That statement got my attention like a slap across the face with a dead flounder. I’m not a security expert, and I’m not the right guy to assess what’s ‘enough’ security for every application or data set. But I am a business person with some technology expertise and experience, and I understand risk. It is damned hard to swallow the idea that my data and apps are more secure in the typical cloud of today.
However, the key phrase in the Moss quote is, “The cloud can actually be more secure,” and I agree with that. But as I’ll explain later, a solidly secure cloud isn’t so cloudy anymore.
Moss supports his assertion with three reasons, which I will assail individually and follow with a summary rant.
1. Companies that move stuff to the cloud will be more watchful and make sure that it’s well protected.
This is like arguing that leaving the doors of my house unlocked at night will make me safer because I’ll be listening more closely for intruders and my valuables are chained to the floor. To stretch the analogy, it’s more like moving to a bad neighborhood and relying on rent-a-cops to keep me and my stuff safe.
Moving processes to the cloud will have exactly the opposite effect that Moss claims. Deploying to the cloud will, I think, lead to complacency as the ‘out of sight, out of mind’ facet of human nature comes into play.
2. All clouds and cloud providers aren’t the same. Security mechanisms can be customized to the needs of the workload and customer.
This is true; you can certainly set up extremely rigorous security and be reasonably sure that your important data can’t be accessed by a talented high school kid, a web surfing competitor, or even a nation-state intent on ferreting out your new product specs.
But how far does the security customization go? Can you require your data to remain in your country? Will my data be encrypted? Are my apps and data comingled with stuff from other clients of yours? Does the provider do thorough background checks on their employees? Is the physical security of the building and the servers/storage solid – do the door locks work? What protection do I have if there is a security breach?
After you’ve answered these questions well enough to quell my fears, tell me exactly how much this will cost me.
One can argue that these requirements are more stringent than what most corporate data centers have in place now. But the laundry list of items I lay out above are all issues that can be reasonably addressed by even small organizations. Many issues, such as data locality and commingling of data, arise from the cloud model itself, and wouldn’t otherwise exist.
3. Third parties are likely to have better security than you do.
In this point, Moss isn’t saying that customers are security hicks (although many are). Rather, he’s saying that having lots of customers allows the provider to spread the cost of sophisticated security across a large base of clients, resulting in lower costs for all. I agree with this to a degree, particularly where smaller companies are concerned (as is pointed out in the IBM blog).
But doesn’t a big data center with oodles of important data present a nice target for hackers and other unsavory types? The argument here implies that the cloud vendor can invest in really good security mechanisms and use them for all clients. Is this the right approach? Did it make the right choices?