Monday, October 13, 2008
Steve, CTO at Secerno has written a neat article on security around CC.
Demystifying cloud computing
The realities of cloud computing are that it is driven by economics; and reducing cost does not always mean an improvement in security. Securing data isn't an easy task and exposing services and moving data outside an organisation does not automatically make data security easier, it can actually make it more complex. Those adopting cloud computing must remember it is the responsibility of the data owner, not the service provider to secure valuable data.
There are many myths surrounding the security of cloud computing, which need to be addressed to enable businesses to get the full benefits of this technology. Design and implementation of access controls is just as important and easy to get wrong in-the-cloud as it is in any IT system, but exposure to remote attackers is higher in-the-cloud, accentuating the risks. There is a perception that cloud computing removes data compliance pains, however it should be clear that the data owner is still fully responsible for compliance. Furthermore, concentrating several companies' mission critical data in a single location provides an enriched target that will inevitably attract the forces of e-crime. Hackers only have to get lucky once – the cloud must defend the data from all misuse – a tough job!
Cloud computing is not necessarily more secure; applications with years of expert development still contain undiscovered vulnerabilities that can be a risk to data security. There is insufficient evidence that cloud computing providers have got it right yet; nor for that matter, have the organisations in determining and enforcing which users have access to what.
Cloud applications undergo constant feature additions and users must keep up to date with the application improvements to ensure they are protected. This means that users have to constantly upgrade as an older version will not function, or protect the data.