At the Interop New York conference on Wednesday, a panel of cloud experts failed to reach consensus on those important questions. Their discussion, in a session titled "Is Cloud Security Risk Overstated?" underscored that key issues around cloud security and risk have yet to be resolved.
Oren Michels, CEO of Mashery, a provider of API management services that uses Amazon Web Services (AWS), said that F.U.D. -- fear, uncertainty, and doubt -- over cloud security continues to cause some companies to proceed cautiously. Despite such wariness, Michels said he was unaware of any data breaches that could be attributed to a compromised virtual server in the cloud.
Steve Riley, senior technical program manager with AWS, said that Amazon, with its multiple data centers and sophisticated redundancy capabilities, is generally able to provide a higher level of data security than many businesses can from their own data center.
However, several attendees questioned whether cloud vendors are doing enough to gain the trust of IT departments that are evaluating their services. "How transparent are you when customers come in and really want to understand how you do things?" asked one IT manager.
Amazon, for example, doesn't let customers tour its data centers to get a first hand view of its security practices, said Michels. Riley acknowledged that even he – a senior technical program manager for AWS – isn't allowed into Amazon's data centers.
"I want visibility -- clarity -- into their security" capabilities, said one attendee. Riley told the audience that Amazon's security "is better than yours." That drew a quick response from the same attendee, who was unconvinced: "I don't know that."
Panel moderator Drew Bartkiewicz, CEO of CyberRiskPartners, pointed to an escalation in the "consequences" of data breaches and said that cloud security "isn't as good as we think." He said the industry hasn't worked through the issue of "who absorbs the cost of failure" when data breaches lead to multimillion-dollar business losses. Cloud service level agreements generally don't cover a customer's financial losses, he added.
"Why do we think that litigation will not find its way into what we do?" asked Bartkiewicz, whose company offers cyber insurance through its "hedging platform."
However, the idea of insuring cloud services to protect against significant business loss drew only modest interest from attendees, who seemed more focused on avoiding mistakes in the first place.
Blade servers are coming into their own, especially as part of virtualization projects. Also in this new, all-digital InformationWeek supplement: Want really cool blades? Total liquid submersion systems deliver. Download the supplement here (registration required).