Feeds

Easier to secure the cloud than your data center - IBMer

Really?

Application security programs and practises

Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future.

However, according to IBM CTO of Cloud Computing Harold Moss, clouds are nothing to be worried about from a security standpoint.

In a blog, IBMer Steve Hamm lays out Moss’s case. Here’s a taste:

“That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. ‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”

That statement got my attention like a slap across the face with a dead flounder. I’m not a security expert, and I’m not the right guy to assess what’s ‘enough’ security for every application or data set. But I am a business person with some technology expertise and experience, and I understand risk. It is damned hard to swallow the idea that my data and apps are more secure in the typical cloud of today.

However, the key phrase in the Moss quote is, “The cloud can actually be more secure,” and I agree with that. But as I’ll explain later, a solidly secure cloud isn’t so cloudy anymore.

Moss supports his assertion with three reasons, which I will assail individually and follow with a summary rant.

1. Companies that move stuff to the cloud will be more watchful and make sure that it’s well protected.

This is like arguing that leaving the doors of my house unlocked at night will make me safer because I’ll be listening more closely for intruders and my valuables are chained to the floor. To stretch the analogy, it’s more like moving to a bad neighborhood and relying on rent-a-cops to keep me and my stuff safe.

Moving processes to the cloud will have exactly the opposite effect that Moss claims. Deploying to the cloud will, I think, lead to complacency as the ‘out of sight, out of mind’ facet of human nature comes into play.

2. All clouds and cloud providers aren’t the same. Security mechanisms can be customized to the needs of the workload and customer.

This is true; you can certainly set up extremely rigorous security and be reasonably sure that your important data can’t be accessed by a talented high school kid, a web surfing competitor, or even a nation-state intent on ferreting out your new product specs.

But how far does the security customization go? Can you require your data to remain in your country? Will my data be encrypted? Are my apps and data comingled with stuff from other clients of yours? Does the provider do thorough background checks on their employees? Is the physical security of the building and the servers/storage solid – do the door locks work? What protection do I have if there is a security breach?

After you’ve answered these questions well enough to quell my fears, tell me exactly how much this will cost me.

One can argue that these requirements are more stringent than what most corporate data centers have in place now. But the laundry list of items I lay out above are all issues that can be reasonably addressed by even small organizations. Many issues, such as data locality and commingling of data, arise from the cloud model itself, and wouldn’t otherwise exist.

3. Third parties are likely to have better security than you do.

In this point, Moss isn’t saying that customers are security hicks (although many are). Rather, he’s saying that having lots of customers allows the provider to spread the cost of sophisticated security across a large base of clients, resulting in lower costs for all. I agree with this to a degree, particularly where smaller companies are concerned (as is pointed out in the IBM blog).

But doesn’t a big data center with oodles of important data present a nice target for hackers and other unsavory types? The argument here implies that the cloud vendor can invest in really good security mechanisms and use them for all clients. Is this the right approach? Did it make the right choices?

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.