Feeds

Easier to secure the cloud than your data center - IBMer

Really?

The essential guide to IT transformation

Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future.

However, according to IBM CTO of Cloud Computing Harold Moss, clouds are nothing to be worried about from a security standpoint.

In a blog, IBMer Steve Hamm lays out Moss’s case. Here’s a taste:

“That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. ‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”

That statement got my attention like a slap across the face with a dead flounder. I’m not a security expert, and I’m not the right guy to assess what’s ‘enough’ security for every application or data set. But I am a business person with some technology expertise and experience, and I understand risk. It is damned hard to swallow the idea that my data and apps are more secure in the typical cloud of today.

However, the key phrase in the Moss quote is, “The cloud can actually be more secure,” and I agree with that. But as I’ll explain later, a solidly secure cloud isn’t so cloudy anymore.

Moss supports his assertion with three reasons, which I will assail individually and follow with a summary rant.

1. Companies that move stuff to the cloud will be more watchful and make sure that it’s well protected.

This is like arguing that leaving the doors of my house unlocked at night will make me safer because I’ll be listening more closely for intruders and my valuables are chained to the floor. To stretch the analogy, it’s more like moving to a bad neighborhood and relying on rent-a-cops to keep me and my stuff safe.

Moving processes to the cloud will have exactly the opposite effect that Moss claims. Deploying to the cloud will, I think, lead to complacency as the ‘out of sight, out of mind’ facet of human nature comes into play.

2. All clouds and cloud providers aren’t the same. Security mechanisms can be customized to the needs of the workload and customer.

This is true; you can certainly set up extremely rigorous security and be reasonably sure that your important data can’t be accessed by a talented high school kid, a web surfing competitor, or even a nation-state intent on ferreting out your new product specs.

But how far does the security customization go? Can you require your data to remain in your country? Will my data be encrypted? Are my apps and data comingled with stuff from other clients of yours? Does the provider do thorough background checks on their employees? Is the physical security of the building and the servers/storage solid – do the door locks work? What protection do I have if there is a security breach?

After you’ve answered these questions well enough to quell my fears, tell me exactly how much this will cost me.

One can argue that these requirements are more stringent than what most corporate data centers have in place now. But the laundry list of items I lay out above are all issues that can be reasonably addressed by even small organizations. Many issues, such as data locality and commingling of data, arise from the cloud model itself, and wouldn’t otherwise exist.

3. Third parties are likely to have better security than you do.

In this point, Moss isn’t saying that customers are security hicks (although many are). Rather, he’s saying that having lots of customers allows the provider to spread the cost of sophisticated security across a large base of clients, resulting in lower costs for all. I agree with this to a degree, particularly where smaller companies are concerned (as is pointed out in the IBM blog).

But doesn’t a big data center with oodles of important data present a nice target for hackers and other unsavory types? The argument here implies that the cloud vendor can invest in really good security mechanisms and use them for all clients. Is this the right approach? Did it make the right choices?

Boost IT visibility and business value

More from The Register

next story
Pay to play: The hidden cost of software defined everything
Enter credit card details if you want that system you bought to actually be useful
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
VMware's high-wire balancing act: EVO might drag us ALL down
Get it right, EMC, or there'll be STORAGE CIVIL WAR. Mark my words
Forrester says it's time to give up on physical storage arrays
The physical/virtual storage tipping point may just have arrived
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.