Since adoption is ramping up, one can infer that such thefts are already ongoing. (Or, more scarily, one can take a short intellectual leap from my post, Admiral Warns Cybersecurity Threat Looms For U.S., and assume that cloud data thefts are already rampant, we're just not hearing about them.)
It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet. Also, as I mentioned up top, our processes have not yet caught up with our financially induced rush to shed more secure (because they're better, though not entirely, hidden) self-hosted apps, in favor of the promised capex savings of SaaS equivalents.
The most succinct summary of the problem comes via the document, "Security Guidance for Critical Areas of Focus in Cloud Computing," which I encourage you to download from the Cloud Security Alliance [pdf is here], which speaks of the erosion of the traditional security perimeter:
"It is clear that the impact of the re-perimeterization and the erosion of trust boundaries we have seen in the enterprise is amplified and accelerated due to Cloud."
Operationally, one can analogize purchasing cloud services to owning a car. The manufacturer (or, in this case, the vendor) is responsible for creating a safe product. However, practically speaking, the buck stops with you the user as far as ultimately ensuring safe operation.
[Another way of viewing this is, cloud users have service level agreements, most of which have fine print blowing off responsibility for security. So maybe if there's a breach, you can still have your legal department sue the crap out of someone, but as the computer person in your org, that buck to which I referred will still be stopping at your desk.]
This means that cloud users cannot cede security to their provider. Adding complexity on top of this admittedly simplistic advice is the nuance of different clouds presenting different challenges. Or, as the Cloud Security Alliance's paper puts it:
"The key takeaway from a security architecture perspective in comparing the [different SaaS] models is that the lower down the stack the Cloud service provider stops, the more security capabilities and management the consumer is responsible for implementing and managing themselves."
Where does these leave us? Process-wise, right now both users and providers are groping towards a solution. As the CSA doc summarizes it:
"The relative maturity of Cloud Services will lead to history repeating itself with respect to security issues. Consumers, Businesses, Cloud Service Providers, and Information Security and Assurance professionals need to collaborate to shine a light on the potential issues and solutions listed above and to discover those not yet identified."
Next time, I'll take a look at some of the technical solutions being floated to address security in the cloud.
Follow me on Twitter: (@awolfe58)
What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].
Alex Wolfe is editor-in-chief of InformationWeek.com.