paulmudgett.com

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Tags: cloud security, data protection, information security, PII, security awareness, security mistakes

This entry was posted on Tuesday, November 17th, 2009 at 11:15 am and is filed under Business and Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.