Friday, October 28, 2011

Feeling Insecure

One of the most frequently discussed concerns about using cloud computing is security. Management have a false sense comfort when the computers and, therefore all of their digital assets, are housed within the four walls of the company. Having the server just down the hall somehow instills confidence that nothing bad can happen.

Of course, you and I know the dangers come primarily from the people with administrative control and any physical connection to the outside world. Where these boxes sit is way less important than the electronic defenses and governing procedures surrounding access.

My view has always been that cloud computing services can afford to invest more in hardware and software than most companies are able or willing to spend. Cloud providers will construct the most secure and robust infrastructure and staff it with the best resources because this is their primary business. Most other companies have to weigh the cost of high end security systems and security professionals again other investments in the core business. A new firewall or intrusion detection software is not likely to win against a new print ad campaign or product line extension.

Yet, executives cling to the belief that their IT department will somehow manage to protect their systems and data. Putting this responsibility in the hands of a third party somehow introduces an additional level of risk.

My faith in cloud providers was shaken a bit, though, when I read about the recently exposed security flaw in Amazon AWS. Researchers uncovered an electronic loophole which would have allowed the bad guys to take administrative control of the AWS environment. Very scary to think someone might have discovered the back door to the fort was left open so anyone could waltz in and take over.

It is true cloud providers like Amazon may have the best of the best. But we certainly know that nothing is perfect and it is likely that other security holes will be found. Attackers may anticipate a greater payoff in hacking a cloud service than going after any single company. I was reminded of Willie Sutton who, when asked why he robbed banks, replied, "..because that's where all the money is."

One cloud provider may be supporting the systems of thousands of different customers including some applications for major corporations. A successful hacker would be a kid in a candy store -- at night, after close, with no parents around. Why spend time breaking the lock on the front door of a house when you could compromise the card key system in a thousand room hotel.

In my view, at the end of the day, the cloud providers are still the better bet. They have the best chance of detecting potential weaknesses, plugging holes when they are discovered, detecting attempted and successful breaches and continuously improving their defenses. Being one of many companies in a shared facility also afford some degree of further protection. All the hotel doors may be open, but the thief still has to figure out what room you are in.

Given the number and frequency of high profile security breaches, no one knows how to maintain absolute security. I'm going with the safety in numbers theory and suggest taking your chances with cloud services.

Captain Joe

Follow me on Twitter @JPuglisiLLC