Of course, you and I know the dangers come primarily from the people with administrative control and any physical connection to the outside world. Where these boxes sit is way less important than the electronic defenses and governing procedures surrounding access.
Yet, executives cling to the belief that their IT department will somehow manage to protect their systems and data. Putting this responsibility in the hands of a third party somehow introduces an additional level of risk.
My faith in cloud providers was shaken a bit, though, when I read about the recently exposed security flaw in Amazon AWS. Researchers uncovered an electronic loophole which would have allowed the bad guys to take administrative control of the AWS environment. Very scary to think someone might have discovered the back door to the fort was left open so anyone could waltz in and take over.
It is true cloud providers like Amazon may have the best of the best. But we certainly know that nothing is perfect and it is likely that other security holes will be found. Attackers may anticipate a greater payoff in hacking a cloud service than going after any single company. I was reminded of Willie Sutton who, when asked why he robbed banks, replied, "..because that's where all the money is."
One cloud provider may be supporting the systems of thousands of different customers including some applications for major corporations. A successful hacker would be a kid in a candy store -- at night, after close, with no parents around. Why spend time breaking the lock on the front door of a house when you could compromise the card key system in a thousand room hotel.
In my view, at the end of the day, the cloud providers are still the better bet. They have the best chance of detecting potential weaknesses, plugging holes when they are discovered, detecting attempted and successful breaches and continuously improving their defenses. Being one of many companies in a shared facility also afford some degree of further protection. All the hotel doors may be open, but the thief still has to figure out what room you are in.
Given the number and frequency of high profile security breaches, no one knows how to maintain absolute security. I'm going with the safety in numbers theory and suggest taking your chances with cloud services.
Captain Joe
Follow me on Twitter @JPuglisiLLC
At the CIO Summit this week Joe, one presenter said something that struck me (paraphrasing):
ReplyDelete"The biggest [security] risk is data on a lost device. So why would you put data on a device?"
I've encountered the statement "The cloud is not secure" many times, and that's simply not good enough.
Everything we do holds an element of risk, it's just a matter of quantifying it, and acting to reduce it in a practical fashion.
Agreed, David, so who do you think has the better chance of detecting or defending against unwanted visitors, and who holds the greater risk of being an attractive target?
ReplyDeleteWell Joe, we have a saying where I'm from - "You may as well be hung for a sheep as for a lamb".
ReplyDeleteIf you're going to commit data theft, you're best going for the biggest, ripest, most lucrative target (the punishment is probably the same as hitting a smaller target).