Cloud Security Still ImmatureBy Edward Cone | Posted Thursday, February 05, 2009 23:02 PM
Ericka Chickowski reports:
Over the past two days I've been attending sessions at the Security Practitioners Conference, which is run as a component of The Open Group Conference in San Diego. Much of the content yesterday focused on security in the cloud, with bigwigs from Salesforce.com, Amazon Web Services, IBM and the like stepping in front of the crowd to pitch their security controls and quell some of the qualms currently keeping many organizations from dipping their data into the cloud.
While some of the controls may be robust, I'm going to throw my lot in with Eric Maiwald, vice president and research director of risk management strategies for Burton Group Security , who hosted an end-of-the-day wrap panel and started it by saying, "I've been listening here today and I don't know if I should be encouraged or really depressed."
The security model is so immature right now that it is clear that most of the assurances cloud vendors offer are around infrastructure and covering their own respective risks. Most cloud vendors will tell you outright that it is up to the customers to individually secure their own applications and data in the cloud, for example, by controlling which ports are open and closed into the customer's virtualized instance within the cloud.
As Maiwald puts it, enterprises need to be aware of this distinction. Security in the cloud means different things to those offering cloud services and those using cloud services. Even if you're working with the most open and forthright vendors who are willing to show you every facet of their SAS 70 audit paperwork and provide some level of recompense for security glitches on their end, they're most certainly not assuming your risks. For example, if Amazon Web Services screws up and your applications are down for half a day, it'll credit you for 110 percent of the fees charged for that amount of time but you're still soaked for any of the associated losses and costs that come as a result of the downtime.
As organizations weigh the risks against the financial benefits of cloud computing, Maiwald believes they must keep in mind that , "There is risk that is not being transferred with that (cloud services) contract."
It still may not be enough to deter certain organizations looking to cut costs, but it should definitely play into a risk assessment formula before you decide to float away into the cloud.