Perception of Security in the Cloud
Arguably the biggest buzzword in computing today is “cloud computing.” Other candidates include “real time web,” “social computing” and (my favorite) “monetization.” Briefly, cloud computing means deploying internet based applications and services in a way that abstracts hardware needs out so that dependence on any particular server is limited and adding more servers (or virtual servers) makes scaling relatively easy. The example of cloud computing I am personally most familiar with is Amazon Electronic Compute Cloud which hosts the web site I have been developing at my job (Trailmeme). There are numerous others.
A recent study reported at Dark Reading claims that adoption of cloud computing is being hampered by concerns about security. I think this at least somewhat misleading.
The article gives two numbers related to this. First, almost exactly half of companies are not using the cloud and do not plan to at this time. The second number is that half of those mention security as one of their reasons for not rushing to adopt cloud computing. The conclusion of the article is that security is a major concern in cloud computing. I wish this were true but I don’t believe it.
The obvious problem with this is the math. One half of one half means that only one quarter (0.25 or 25% for those who went to public school) considered security a significant point against cloud computing. But it goes deeper than the math. When most people think of security in the cloud what do they think of? What do they think of when they consider security at all?
Security professionals may be able to describe specific concerns such as side channel attacks on shared hosts in Amazon’s virtualization structure (see article here. Later news indicated the vulnerability had been fixed. See here) or denial of service attacks on the infrastructure itself. There may also be questions about how targeted services such as Microsoft SQL Azure are locked down against hacking (That’s one I have wondered about but haven’t had time to examine in depth). They may also worry about backups and disaster recovery. This is a legitimate concern when storing anything on someone else’s servers.
Information technology professionals who are not security specialists probably also have many of the same questions, if they have time to explore them. In my experience, those in IT often find themselves wishing they could devote more time and energy to security but unless management is willing to reduce the priority of some project, security gets a “patch and pray” approach more often than not. Management claims to value security but rarely understands it deeply enough to know how to factor it in to their estimates of time and resources required (notice how kind I’mbeing here. I haven’t called anyone an idiot in this entire post, so far! But from what I’ve seen of the corporate world, the management attitude towards security is usually something like this).
Anyway, I have many questions about what people mean when they say that security is a reason for not using cloud computing. Do they mean it’s the most important reason? Or is it just one reason of several? Do they mean they heard that the cloud isn’t safe and they’re afraid? Do they mean that they are perfectly satisfied with their current security and don’t want to have to set up a new system (that should be an important one)?
Security should be an important consideration when choosing a technical platform. Maybe the conclusion of the article is backwards, in that case. Maybe instead of lamenting that too many people are worrying about the security of cloud computing, maybe they should worry that not enough are worrying about it. Either way, I’m not convinced people are worrying about the right things, even if they say they are worried about security.
LinkedIn
Technorati Favorites
