Security tends to dominate many discussions regarding the adoption of cloud computing. I outlined some of the risks that often come up in this context. Yet, which of the information security risks are actually unique to the cloud paradigm? Michael Cloppert raises this point in his insightful post Let’s Enable Cloud Computing.
Michael points out that most of the risks brought up in cloud discussions are applicable to IT in general and either have a mitigation strategy or have been accepted. He sums up the infosec community’s response to cloud security as “fear of the unknown,” concluding that:
"Classic InfoSec mindset is as a gateway; a veto-holding non-voting member of the IT community. The correct role, in my opinion, is as an active participant in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost - not eliminating risk at extraordinary cost."
I tie the fear of the unknown to the desire to wait for cloud technologies and management processes to mature, and that’s fine with me. For instance, during early VLAN days, not many admins knew the syntax and the implication of certain commands, and were more likely introduce a configuration error that introduced a vulnerability. Similarly, many organizations implementing virtualization in the context of cloud computing are new to the tools and can make configuration mistakes. Further, the products they’re using are relatively immature and haven’t been time-tested.
The risks related to the newness of cloud technologies will become less of an issue in about a year. Until then, most security professionals will apply extra scrutiny to proposals that involve processing sensitive or regulated data in shared cloud environments. I think that’s a good idea, as long as the discussions don’t immediately lead to a flat “no way” as soon as the term “cloud” is brought up.
The biggest concern I have over outsourced cloud is that the economics are pushing a lot of companies to outsource without carefully understanding and codifying their requirements. Further, they might not know how to define a proper outsourcing contract, how to manage the IT transition project or how to oversee the resulting environment. These are the areas where experienced information security professionals can add a lot of value.
Want to know more? Read my earlier notes on cloud security.