Feeds

Easier to secure the cloud than your data center - IBMer

Really?

Build a business case: developing custom apps

Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future.

However, according to IBM CTO of Cloud Computing Harold Moss, clouds are nothing to be worried about from a security standpoint.

In a blog, IBMer Steve Hamm lays out Moss’s case. Here’s a taste:

“That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. ‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”

That statement got my attention like a slap across the face with a dead flounder. I’m not a security expert, and I’m not the right guy to assess what’s ‘enough’ security for every application or data set. But I am a business person with some technology expertise and experience, and I understand risk. It is damned hard to swallow the idea that my data and apps are more secure in the typical cloud of today.

However, the key phrase in the Moss quote is, “The cloud can actually be more secure,” and I agree with that. But as I’ll explain later, a solidly secure cloud isn’t so cloudy anymore.

Moss supports his assertion with three reasons, which I will assail individually and follow with a summary rant.

1. Companies that move stuff to the cloud will be more watchful and make sure that it’s well protected.

This is like arguing that leaving the doors of my house unlocked at night will make me safer because I’ll be listening more closely for intruders and my valuables are chained to the floor. To stretch the analogy, it’s more like moving to a bad neighborhood and relying on rent-a-cops to keep me and my stuff safe.

Moving processes to the cloud will have exactly the opposite effect that Moss claims. Deploying to the cloud will, I think, lead to complacency as the ‘out of sight, out of mind’ facet of human nature comes into play.

2. All clouds and cloud providers aren’t the same. Security mechanisms can be customized to the needs of the workload and customer.

This is true; you can certainly set up extremely rigorous security and be reasonably sure that your important data can’t be accessed by a talented high school kid, a web surfing competitor, or even a nation-state intent on ferreting out your new product specs.

But how far does the security customization go? Can you require your data to remain in your country? Will my data be encrypted? Are my apps and data comingled with stuff from other clients of yours? Does the provider do thorough background checks on their employees? Is the physical security of the building and the servers/storage solid – do the door locks work? What protection do I have if there is a security breach?

After you’ve answered these questions well enough to quell my fears, tell me exactly how much this will cost me.

One can argue that these requirements are more stringent than what most corporate data centers have in place now. But the laundry list of items I lay out above are all issues that can be reasonably addressed by even small organizations. Many issues, such as data locality and commingling of data, arise from the cloud model itself, and wouldn’t otherwise exist.

3. Third parties are likely to have better security than you do.

In this point, Moss isn’t saying that customers are security hicks (although many are). Rather, he’s saying that having lots of customers allows the provider to spread the cost of sophisticated security across a large base of clients, resulting in lower costs for all. I agree with this to a degree, particularly where smaller companies are concerned (as is pointed out in the IBM blog).

But doesn’t a big data center with oodles of important data present a nice target for hackers and other unsavory types? The argument here implies that the cloud vendor can invest in really good security mechanisms and use them for all clients. Is this the right approach? Did it make the right choices?

Build a business case: developing custom apps

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
VVOL update: Are any vendors NOT leaping into bed with VMware?
It's not yet been released but everyone thinks it's the dog's danglies
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.