Three Things Experts Won't Tell You About Cloud Security

Wednesday, December 14, 2011

Mike Meikle


Cloud computing has been marketed as the great panacea for controlling technology costs, for the rapid deployment of solutions and a hedge against uncontrolled system downtime. 

Those with experience in this space will be able to poke quite a few holes in those assumptions, but one area that most agree on is that there are greater security risks with cloud-based systems. 

These risks come in the form of lack of control over system and data access, concerns about data encryption, data ownership and classification of critical data. 

Security risks on the business side include loose Service Level Agreement (SLA) metrics and inability to retrieve enterprise data from vendor effectively.

How moving to a cloud computing provider can improve security

However, let’s stand that argument on its head and discuss how moving a particular service or system to the cloud can actually improve your organization’s security posture.

  • One way of potentially reducing your security risk is to engage the services of a Managed Security Service Provider (MSSP).  A MSSP can monitor, remediate and notify their customer of network and system vulnerabilities via a cloud service.  The client can gains a significant boost to security staff that for potentially less than the cost of a single internal hire.  This is an excellent way to free up internal staff to tackle proactive security tasks.
  • Second, a cloud solution for critical data storage provides a hedge against a catastrophic event.  This remotely stored data can then be restored at the reconstituted customer site as part of its Disaster Recovery plan.  One caveat to this strategy is data restoration from the cloud can be slow based on the amount of data and bandwidth available for the total restoration.  Companies should still have a tape or disk backup strategy for Disaster Recovery or Business Continuity.  However, having the cloud data recovery option available is a viable choice for enterprise customers who cannot afford significant data loss.
  • Third, the management of mobile devices via Software as a Service (SaaS) model in the cloud.  Many organizations are looking to pare back IT staff and adding another system to configure, implement, monitor and maintain for Mobile Device Management (MDM) may prove to be too costly.  Having the hardware/software in the cloud removes a significant internal resource cost as well as capital expenditures on hardware and software.

Ensuring that cloud solutions are more secure than in-house services can be difficult to define and measure. 

However, the use of carefully crafted and monitored SLAs to keep vendors in check, mandating FIPS 140-2 certification of potential vendors and benefiting from vendor technology investments (economies of scale) can add significant weight to cloud solution providers being more secure than in-house solutions.

Cross-posted from Musings of a Corporate Consigliere via ISUtility

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security MSSP SaaS Managed Services Service Level Agreement vendors FIPS 140-2
Post Rating I Like this!
Aditya Jayaram Very good article and advice on considerations prior to adoption of the cloud platform.Just viewed an excellent video presentation Adoption Roadmap of cloud computing focusing on adoption strategies
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.