Security… Getting to the Bottom of “Cloudphobia”
Cloud solutions have gotten a bad rap. They have incredible potential to minimize a business’s IT infrastructure, scale to meet rapid demand, support mobile workers, and cut costs, but they have also gained the reputation of being a risky investment. Many people are just not ready to trust a third party to secure their confidential data.
I read a series of articles regarding the McAfee security meltdown that occurred a while ago. In this piece by InfoWorld, the author blames McAfee’s blunder on its use of cloud computing. He states that there is no way to know that your data is being treated properly… that it is “being guarded by teams of highly trained security professionals, monitored for threats both internally and externally, and that cutting-edge technology is being employed to ensure against pilfering or destruction.”
This article is then countered in a Web Security Journal article by Salvatore Genovese. Salvatore puts forth the valid argument that the author explicitly stated that McAfee’s system is not cloud computing at all, but a reverse model. He also argues that this problem results from nothing more than an error by McAfee.
What these two opposing viewpoints make evident is the fact that there are several hurdles we need to overcome before cloud solutions can reach their potential. First of all, the cloud needs to stop being the go-to scapegoat when bad press hits. We need to nail down the definition of what “cloud” is, and no longer allow it to be thrown around haphazardly. It is only human nature to fear what we don’t understand, and the same goes for the cloud.
The SNIA CDMI standard is another great step in the right direction. This standard fosters interoperability between vendors, so users can easily move their data between cloud providers, and centers around a REST API. This has been a hot topic for some time, and bodes well for users who will experience increased freedom, and less of an API lock-in from vendors.
Ultimately, skepticism of the “cloud” centers around security, and it is imperative that companies contemplating jumping into the cloud clarify with vendors about the various aspects of data security:
-Security in Redundancy- Data is duplicated in various locations.
-Security in Accessibility- Data can be accessed when it is needed as per SLA.
-Security in Transit- Encryption of data during transfer.
-Security in Storage- Encryption of data at rest.
-Security in Segregation- A hack of one account does not mean all are compromised.
-Security at the Physical Level- Data is stored in audited, secure locations of the client’s choosing.
-Security After Deletion- 100% assurance that when you delete data from the cloud, it is truly gone
The cloud is no different than any repository of confidential data… it needs to be chosen wisely. Once that is ironed out, it is difficult to argue with the economics and value of cloud solutions.