Rating: +0
Yesterday I attended CloudCampDC and left wondering whether or not CloudComputing was less secure than traditional infrastructure. We had a great discussion at the event about security and infrastructure costs that left me thinking that the added costs of ensuring security, i.e. encryption, data segmentation, etc. would make it more secure but also make the costs of development and hosting in the cloud spike considerably. This obviously matters more for some business cases than others so let's assume two of them: one involving financial or banking data (SSN's, etc.) and another involving Human Resources data (HR files, Benefits data, payroll data, etc.). Finally, let's assume we're talking about a SaaS model. I've flagged this as a legal (corporate law discussion too, hoping some lawyers will add their thoughts to the mix).
Robert,
You have some "it depends" answers here and that's probably the most spot on. And the reason why it depends is few fold each with its ups and downs; the basic comparison that is being made - is my data safer in someone else's data center or my own data center. How your data get's from point to point is the basis for the cloud computing infrastructure (i.e. Amazon S3 API's or other provider and their published methods).
Why does a remote data center give you more security? Focus and leverage.
They have staff that is dedicated to security, firewalls vs. your corporate IT staff that is very often pulled in different directions and not dedicated to one specific task like managing nothing else except “port security” for example. It’s just not cost efficient for a corporate IT staff member to be so single task minded, and most often they are trying to broaden their skills vs. honing one specific skill anyway – so the remote data center level of service wins most often in this regard.
Next, is the cloud provider is leveraging 100’s of customers against a single infrastructure. And, what comes with 100’s of customers, delivering data from 100’s of application sources, varied operating systems, varying bandwidth connections, protocols, etc. is “experience”. The cloud service provider will control their access points, but they still must help their customers to work through any problems – And although, their access point is controlled via API’s or well known connections and transmission methods, the funnel that their access points comes from is wide and deep – so their breath of experience over a relatively short period of time is vastly greater than what you will experience in a corporate private cloud environment.
Often, the answer to why do I get packet loss and corruption when using the same call’s from one application to the cloud but not from another applications is not readily evident and needs lots of troubleshooting to figure out; and its more than likely that the service provider has run into the problem, figured it out, and knows how to provide a fix so that the data is transmitted securely with out errors. This one problem can exhaust an internal IT staff to no end, and it has nothing to do with “IQ” it’s simply that the service provider gets a lot more “at bats” due to the number of different customers and varied use cases to solve problems and develop best practices – which everyone then benefits from, that’s the leverage part.
All of that said, security usually comes at a dollar price; some of the reasons is that physical security and all of the lower tech fundamentals; like hiring the right people with strong background checks, regular training; etc. is just as important if not more so, than having the latest Cisco doohickeys on the network
So a relatively start-up class of provider can lease the latest and greatest equipment and infrastructure and nail up a sign “Cloud services Open for Business” and promote all of the latest and greatest security gadgetry; but they have no corporate governance that dictates basics like good hiring practices or internal security practices. So while you feel secure that their infrastructure is very strong - their network admin is selling your companies customer list and credit card numbers to someone in a foreign country.
Like anything else, everything matters and it's the little things that are most often over looked when it comes to security. Buyer beware is a must.
These are some of the reasons why a service provider will always have a leg up, but that’s not to say that you can’t secure your data yourself just as well or better.
Good Luck,
Peter
June 2009