Security is emerging as the #1 reason people give for shying away from the cloud, according to NIST (National Institute of Standards and Technology, Computer Security Division).
This post is my attempt at pulling together the cloud security-related resources in one place.
A recent article in Technology Review was quoted in NYT. The tone is more sensational than is warranted. The TR article is based on an experiment where researchers were able to discover whether a “victim” Virtual Machine was lightly or heavily loaded. OK, so you can tell when the server is busy — just like the pizza delivery guy can tell when folks are working late at the CIA office. It’s a long way from there to getting your hands on confidential information, IMHO.
Sensational or not the point of security is valid. If you are a cloud company your competitor may well use FUD (fear,uncertainty and doubt) against you. So how do we assure ourselves and our customers of the security of our cloud application? No silver bullets here, just old-fashioned common sense applied across the board. Keep in mind, security is more than IT security. If you have an ultra-secure IT infrastructure and your users leave passwords on yellow-stickies under their keyboards, the infrastructure was probably not worth the money you spent on it.
First, building security into the architecture, not as an afterthought. Amazon offers these guidelines for developing HIPAA-compliant applications. Whether you use Amazon or not, whatever your application’s security requirements, you need to have architecture guidelines for your application. And your implementation team needs to follow them.
Second, there are a number of assessment tools out there. Thanks to Steve Primost (his blog) for this link on the Microsoft Security Assessment Tool.
Third, if you were the customer, which would you find more compelling?
- We did an assessment of our software and believe it to be secure or
- We had an independent IT security firm go through our architecture and implementation and found it to be secure?
- We had an independent IT security firm try to penetrate our security by hacking into our system. After a week, they gave up.
The level you choose depends on how important security is for your business and your customers. Well, of course it is important. But are you/they willing to pay for the extra cost of insuring that it is?
Follow on Twitter
2 responses so far ↓
Lionel // December 29, 2009 at 9:09 am
Hi J,
This blog is a great idea. And, a good point about the sensationalism out there.
One of my takeaways from that cloud meeting we both attended was security is a relative thing. How secure is the in-house IT that the customer is using now? What are there holes they know about because they haven’t deemed it worthwhile to pay the cost to secure or because of the resultant ways it would get in the way of doing business?
Also, the time-tested question of “How have other companies assured themselves of this cloud vendor’s security” is relevent. After all, your in-house security probably follows this model to some degree.
cheers,
Lionel
Erik Sebesta // January 4, 2010 at 4:18 pm
Security has not stopped these 35 major companies from cloud computing success.
http://cloudtp.com/cloud-computing/cloud-computing-success-stories