In cloud security advice we trust? At your peril…
December 8, 2011
Talking at the launch of the Generation Cloud report recently, Fabio Torlini – vice president of cloud at report sponsors Rackspace – said businesses have a great opportunity to "shape consumer understanding of cloud computing and build trust."
Although the report was concerned with consumer attitudes towards cloud technologies, it did reveal a number of things that every business, from the smallest end of the SME scale to the largest international corporate, needs to take on board.
For example, 69 per cent of those asked did not trust their cloud service providers, and the biggest concerns were around security, privacy and transparency. Sounds familiar doesn’t it? And if it doesn’t, oh boy are you in trouble. These are exactly the kinds of issues that should be at the very forefront of any cloud adoption strategy, right at the top of your cloud agenda and carved in stone before you even consider going live…
Yet, coming back to the words of Mr Torlini, it strikes me that far too many of those in a position to "shape consumer understanding" have yet to properly understand these core cloud issues themselves.
What I’m talking about is the spectrum of advice being handed out almost willy nilly by anyone and their uncle when it comes to ‘cloud security’ these days. Now that we have moved beyond cloud just being a great scorer in a game of Buzzword Bingo, and actually being something that is out there making people money, everyone is an expert all of a sudden.
The trouble is it is becoming harder to separate the good advice from the bad. Especially when there are so many well-meaning folk who are offering what they believe to be good advice, but which actually should be filed under ‘needs a lot closer inspection’ rather than ‘quick sound bite to be taken as gospel’ as is all too often the case.
Take the well-known entrepreneur James Caan, a former Dragon from the BBC Dragon’s Den series and CEO of private equity firm Hamilton Bradshaw, who is an undoubted expert on many things business-related and I wouldn’t want to suggest otherwise. I think I am on fairly safe territory when I say that he isn’t a renowned expert on cloud security though.
Yet, as the headline speaker at the Ahead in the Clouds Breakfast Meeting held during the recent Global Entrepreneurship Week, Caan addressed the problems of security issues being a potential impediment to cloud growth and stated "one way to safeguard data is to use multiple cloud providers – spreading the risk is important and this can be achieved by spreading data among a number of cloud suppliers".
Now, he was right in one sense; spreading your data amongst myriad cloud service providers certainly exponentially reduces the risk of that data being either unavailable or lost should one service lose connectivity or, worse yet, cease trading.
But this quote, which was distributed to the media via the official press release from the event in the context of cloud security, misses the point by a country mile when it comes to safeguarding data from a holistic ITSec perspective.
Spreading the risk is an important part of the rollout strategy when it comes to ensuring availability of data, but just as the risk in this scenario goes down for every supplier that you add to the cloud service provider chain, conversely the data breach risk, the regulatory compliance risk, the overall data security risk goes up with each additional supplier you bring on board.
The more providers you use, the broader your attack landscape becomes. The more providers you use, the more risk there is that someone, somewhere, will make a mistake. Simply introducing multiple service providers does not a secure cloud make.
The point is even those with the best intentions can sometimes lead us astray. Security advice in the cloud, as anywhere else when it comes to your business data, is best left to the experts.
In the rush to become part of the new data revolution, it is all too easy to mistake volume for authority, media exposure for expertise and, ultimately, well-intentioned sound bites for mature security thinking.
A good starting point for such mature thinking, other than keep reading Cloud Pro of course, would be the Cloud Security Alliance. Its "Security Guidance for Critical Areas of Focus in Cloud Computing" wiki provides foundational best practices for securing cloud computing and should be mandatory reading for anyone who takes cloud security seriously.