Cloud Is Not The Security Issue!

I’m getting a bit bored of hearing people ask how to “secure the cloud”.

I’ve got no beef about the importance of the subject. There is no doubt at all that It’s a hot topic right now. We had a good turnout for our Securing Storage in the Cloud webinar this week, and the upcoming RSA Conference Europe in London will be majoring on how to use the cloud securely – along with other subjects, such as cyber-warfare.

Cloud is real

In fact, it’s more than just a hot topic – something people feel they should know about because they have worries around it. It’s something they are concerned with because it’s actually happening. In our webinar, we wanted to gauge how real your interest is in the subject, so we asked listeners how soon they expected to have most of their data in the cloud.

We expected the answer to be more then five years, or never. We thought you’d be setting it comfortably far away, because – apart form analysts and hosting providers, who love it – we mostly hear of the cloud as a dangerous innovation, that should be poked carefully with a stick for a few years before anyone actually adopts it.

To our surprise, listeners voted in favour a two-to-three-year adoption. That was the most popular answer to the question of how quickly your data will get out there. That changed my feelings about the subject. When listeners asked “how do you choose a good cloud provider?” I realised, it was not theoretical.

Hugh Thompson, programme advisor for the RSA conference, said something similar. Last year cloud security was a concern, he said. This year, it’s an operational issue, and people will be coming to the conference with practical guidelines and experience to share.

But cloud is the effect, not the cause

So, if cloud security is real, why is it boring?

Here’s why. I don’t think that cloud is the root cause of any of the security risks we face now. Cloud computing puts data outside the corporate firewall, it sets up new relationships with service providers, and it introduces new technology pieces into the infrastructure which supports your IT services.

But it is only one of the many things happening now to cause those effects.

Whether you use cloud or not (and if you don’t, your users will) your data is becoming more mobile, both within and outside your corporate IT structures.

Bigger faster storage, faster networks and virtualised servers mean your data can move freely within the company. And your users are increasingly carrying mobile devices and finding ways to do their jobs (ie. get at your data) wherever they are.

Cloud is just a visible and fairly well organised instance of a very general and often very disorganised trend, towards data that could potentially be anywhere, and will be used in ways you didn’t initially think of.

Data is on the move

Just picking recent news stories at random, it turns out that people within BT gave unencrypted customer details to law firm ACS, which seems to have itself played fast and loose with personal data. Meanwhile, the Zeus gang found it easy to get users’ details because it could target mobile phones.

While Google could get into hot water with WiSpy, by – almost accidentally – filching private data, NHS staff and others are roaming the streets carrying USB sticks full of sensitive information.

You are right to worry about cloud security (and if you think you can solve the issue by banning the cloud, you are very sadly mistaken).

But clouds aren’t the problem – they are just a symptom of the fact that data is moving faster and more cheaply than ever before. Whether it moves through clouds that you allow, or users’ private unauthorised “grey” clouds, or other different means, data is harder to control.

If you are thinking of cloud services, of course you have to ask questions of their reliability and security. But you must also ask those same questions of your internal services and procedures. The same technology that allows the cloud is undermining your internal security.

Cloud providers know this, and the most adroit at marketing are starting to use this fact.

If you look at the problem of data movement and access – you might find that a cloud provider which explicitly deals with these issues is actually more secure than what you provide in-house.