Security is probably the biggest factor keeping enterprises from moving more applications and data to public clouds. I argue that security is just one (albeit a hugely important one) of the reasons why public clouds will exist as a tool for data centers – rather than the default usage model – for the foreseeable future. However …
all this makes me think of.....
a regular outsourcing affair.... SLAs, tight security, monitoring provider.... sounds like best way to get a real grown up solution that you can bet you business on it to forget the caring, sharing, woolly cloud part and just straight outsource it.....
Cloud needs to host providers core application
If you want something that is secure, reliable and scalable, then you can SLA to death, but it is much better to have something where your interest and the providers interest is aligned.
e.g. @UK PLC provides ecommerce, and is one of the larger customers on its ecommerce engine.
Thus the @UK PLC cloud _MUST_ be Payment Card Industry/Data Security Standard compliant, and security is obviously important, so our system is audited on a daily basis vs the PCI requirement of quarterly audits.
If you are on a managed cloud by xyz hardware or hosting vendor, then clearly they want to ensure it is secure etc etc, but they are not in the same position as someone that is also running their business on the same cloud as you are.
There is also an interest in charging you to do security audits etc to meet your requirements, since this is where they get the nice consultancy revenues as opposed to just bundling in compliance.
Finally, the key part of security is application security, and if you are picking or writing the applications that run on the infrastructure, you have just taken responsibility for all the security holes or added a very nice consulting fee to verify all these applications security and configuration.
In our case we provide the application and manage its security, and you build using our platform if you want to sit under our PCI/DSS compliance. If you want VM/Bare metal hosting, then the costs of compliance go up spectacularly.
All the best - Ronald - @UK PLC
The only way for me to secure data in the cloud (to my personal statisfaction) is by encrypting it. To be sure that the data remains mine I'd have to use symmetric encryption. This is all good and well, but symmetric encryption doesn't allow me to collaborate on my data with others, and it does not allow others access to my data when I'm not online.
I could use asymetric encryption to share my symmetric key. However I would have to share part of the assymetric key amongst trusted co-workers. That key must be available when I am not (i.e. offline). On a Windows PC (for example) that is a simple problem to sovle - I can use the data protection API which can be tied to my machine or my login. DPAPI is also available on Windows Server but it would have to tied to the machine because multiple people need access.
If that server is in the cloud then anyone with admin rights to the server has the ability to decrypt my symmetric key.
If the server is in my data centre, I can implement policy that blocks local sysadmins from accessing that key. I can also secure the key in a hardware security module, and I can physically secure the HSM.
Paris, because my confidence in the cloud is directly proportional to her knowledge of AES-256.
Doesn't work Except for file storage
Works for anything
You can do the same with in-memory objects, integers or strings, columns or rows in databases, connection strings in configuration files... You name it.
Networks and Encryption
The key with Encryption is key management. You want to have a split key with multiple parties that are required to come together to decrypt the data. This is part of the Payment Card Industry/Data Security Standard.
e.g. In our case one key holder has been through the NHS vetting for controlling patent data, and the other key holders have been through the Developed Vetting process for Official Secrets.
The other part is understanding that if you connect to a network then the system is _NOT_ secure. No system that is connected to a network is secure, and you need to do a lot of work to provide a reasonable assurance of security.
There are some economies of scale that a cloud provider hosting an ecommerce application as core business is likely to have more security resources than a corporate office along with the network segmentation to protect against cleaners/temporary staff having access to the network.
If you want cheap security, stand alone PC's with removable hard drives that go into high quality safe, when not in use, is a cheap solution. You need to physically remove USB, floppy and other interfaces or solder them up (cheaper if destructive).
Fibre networks and 3 meter air gaps as firewalls works well, but is a bit more expensive.
Otherwise, a cloud is probably your next best bet if you are going to connect to the internet.
All the best - Ronald - @UK PLC
What about data ownership?
One of my big concerns has been about what it takes for a group to get you data from the cloud provider. I was under the impression that it might not even require a warrant to get your data from them. Thought I remembered a story on here a while back where a company did not even know it was under investigation because law enforcement bypassed them and just delt with the cloud provider.
Cloud vs Hosting Provider
While I don't agree with everything in the IBM blog you seem to imply that a "traditional hosting or outsource agreement" will be more secure than a cloud. I really don't see the difference; all the same questions need to be asked and the same onus is on you as the user of utility computing to ensure you take all the appropriate measures (encryption data in motion and at rest, DR, Identity management IDS, etc.) so that you can attest to the security and control of your data and applications. Having SLAs negotiated and agreed upon, with penalties and remedies stipulated up-front, won't make the technology more secure or the impact of a breach, to you as the consumer of utility computing, any less damaging.
Nope, not my point
My point in bringing in the hosting provider/outsourcing angle isn't that I think they are necessarily more secure than clouds or 'better'. What I meant is that with a traditional hosting/outsourcing agreement you have a negotiated contract and the ability to nail down highly specific terms and conditions. We don't seem to be seeing that level of agreement with clouds.
I fully agree that the customer/buyer HAS to do their security, avaiailability, flexibility and cost due diligence with ANY third party provider - even if it's just a website in the clouds....
Whilst the security can be managed with an encrypted overlay network managed by the cloud consumer, and some aspects of the reliability can be managed by implementing an HA system, I agree that the onus is on the cloud consumer to negotiate the SLAs in any 3rd party infrastructure.
blue, cloudy, sky thinking
So let some nu Cloud Host float some target data up there and let's see if anybody can shoot it down. We've rushed into new areas all too often in the past without proper field testing. Clouds aren't renowned for being bullet proof. My way of thinking is to keeps my feet and puters firmly planted on the ground for a long while yet. But then I am an old duddy fuddy, but I am open to new ideas, when they are tried and tested old ideas that is.
It's a probabilities game, and one with totally unknown risk factors
There's one reason why clouds, to me, are fundamentally less secure than a comparatively isolated datacentre, and that's scale.
A properly set up rack in a datacentre likely has one point of physical access, and (virtually) one channel of electronic communication to the internet at large. Assuming that your installation can run without any need to interface with external systems on an intimate, non-REST level, you can concentrate on securing those two points which can expose your infrastructure to danger.
With a cloud, you have millions more potential servers and network backends, and hundreds of potential datacentres on which your infrastructure depends. As conditions within the cloud change the layout of your infrastructure may also inperceptibly change. One moment you might be running in the UK, the next in Sweden, and the next in India, or a combination of the three, depending on what cloud services you're using.
Now while it's true that individually, Amazon/Rackspace/Ubuntu's servers, networks and datacentres may be vastly more electronically and physically secure, it only takes a vulnerability in one to compromise (at least a segment of) the cloud, because of the web of trust that linking all this parallel infrastructure together requires. The more components there are, the more intrusion vectors there are into your system. Cloud providers provide no guarantees about the internal security of their infrastructure, so for example unencrypted files may be zooming from SAN to SAN across the globe, and a network tap in the middle of nowhere might be sniffing your data. Security becomes a probabilities game: a web of 500 components with 99.9% of its stack secure is much less (60%) than a rack of 5 with only 99% of its stack secure (90%): it only takes one vulnerable component to potentially compromise the rest.
The more restrictions you place on the web of trust between components within the cloud, the less cloudy it becomes, as the article alludes to in conclusion.
There's another concern that I don't think anyone's mentioned yet: in a competitive markeT, cloud providers are looking to make efficiency savings and reduce the costs of their service. It's a fundamental race to the bottom, and I fear things will only get worse.
And for most businesses, these unknowns make clouds a risk not worth taking.
I trust Google to use ssh and secure routers
..but I would never trust the retards I have met in corporate IT. The Google Mail hack was a "spearfish" targeting an IE6-based administrative application.
The "crypto" problem is solved in the commercial world, if the right people have enough time (and that makes the beancounters nervous - high salaries and "low efficiency"...)
and another thing ...
Will Cloud Computing have to be monitored by an Umbrella Organization.
IBM's Analysis is Correct
From my experience with some major western corporations I would say IBM's opinion is correct. I am a software engineer with a CS education; I know the whole spectrum of security technologies and security practices. I also know the shabby state of corporate IT in many small, medium and big companys, public or private.
In the end, managers do not want to spend time and money on anything which could be called Proper Security. They do indeed spend more on coffee and juice than they are ever willing to spend on their own IT security.
In many cases software is simply too complex to be properly configured and secured - Lotus Notes being a prominent example.
A large financial corporation I worked with found it "too expensive" to have anything like a proper patching policy for their employees' PCs. The rationale was "that we created the PC image thirteen months ago and so you have the patch level of thirteen months ago for firefox, java and some more non-microsoft products. Certainly we will not give you admin rights to do it yourself. This is corporate policy.".
Looking at "Software As A Service"-Style cloud vendors like Salesforce and Google (apps), they do indeed have quite strong incentives (read: funding, staffing) to "do security properly". Security is part of their "core business" and not just part of that "support function IT".
A single highly competent (read: expensive) security expert can secure millions of Salesforce users, while an inhouse-system will never get that attention.
So far Theory. Whatabout empirical results ?
Google Mail (which nicley fits the SaaS cloud definition) has been once partially "owned" by hackers from that asian country, if Google is to be believed. But during the same timeframe, dozens of other companies of much smaller user populations have been "owned". NYSE and Rolls-Royce are just two prominent examples.
Some companies had their full password/email/document databases looted and published on the internet. HBGary's emails would have been safer in the Google cloud than on their own systems.
The political angle of all this definitely is an issue, as any cloud provider will be exposed to pressure by it's government. If you can't trust Uncle Sam, use an SaaS provider from a different country. If your life depends on data security, use only SaaS providers of "definitely friendly" countries. This can be a concern in the arms business, as recent events have proven.
To conclude - the cloud is coming and we will trust it the way we trust the telephone system. In other words, there won't be *any* business secret we are not willing to tell the "cloud". No, not "cynic", "realist".
Hrmm.. So HBGary should have used gmail? Oh wait... they did "They quickly grabbed and decrypted user passwords from the website, which they used to move into HBGary Federal's hosted Google e-mail." 
I think also you are confusing a lot of different things in a complex issue, you state that "A large financial corporation I worked with found it "too expensive" to have anything like a proper patching policy for their employees' PCs". When a company switches to Salesforce and Google Apps, what are the employees meant to access them with? That's right, the same PCs they use to use outlook and other CRM tools with....
Cost to properly secure in-house system: CIS
Cost to properly secure SaaS system: CSS
Cost of Security per user: COSPU
Number of users per company: NUC
Total number of SaaS users: TSU
If I were to make cost estimates:
CSS == 3*CIS
TSU = 1000*NUC
That leads to:
So a cloud provider can spend 300 times more money on security than in-house IT can do.
Which nicely meshes with the intention of users to spend more on coffee than security.
You forgot to take into account FPOOMA!
oh sorry... you did!
Not a completely outlandish thesis
I worked in a company offering digital archiving as a service (it was before an Application Service Provider became SaaS), and the security discussion came up all the time. We did some digging, and it turned out that at the time, the industry estimate was that 75% of all data theft occurred behind the firewall, and close to 100% of data vandalism was done by insiders. I shared that data with someone that worked with financial compnies and his response was that the 75% number was closer to 90% as most of the time the bad guys had gotten some employee's credentials. Their analysis was that a well constructed external archive was no worse than one stored internally, and depending on the data center certifications (NIST, SAS 70, etc.) could be more secure, especially for smaller organizations. His recommendation was that if you are really concerned, encrypt the data.
As far as data mysteriously moving around - at least AWS will guarantee that if you put your data in Dublin, it stays in Dublin.
what you just did - very clever Scott Broukell :)
All I have to say is
...known back doors for the NSA in Cisco enterprise routers, Skype backdoors for Beijing in it's Chinese client software.
In my country the PMO just invokes privacy laws when asked about what CSIS & co can access.
this cloud has a silver lining
The key advantage of centralizing security operations is that you can hire the top talent like what Amazon and Rackspace have done. You can chart up and enforce the strictest processes. Instead of 10000 security experts protecting several data centers you could have them all focus on making one or 2 bigger clouds most secure. Its all about pooling resources and expertise.
Read this: http://searchdatacenter.techtarget.com/news/1376071/Tasers-Cisco-UCS-based-data-center-project-too-big-to-fail
and this: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800075 (Visa and Mastercard succumbed to the attacks)
What is needed is the abiity for businesses to focus on their applications and workloads and leave processes as security in the hands of providers. I agree this isn't simple to do so there needs to be a gradual progression starting with visibility for customers into some aspects of the providers' security processes and ability to tweak some of them and in some cases even abstract them so that the customer is always in the driver's seat.
Its easy to bash this as "self-serving marketing" but IBM also sells a lot of security products for enterprises running their own data centers. Looking at the article and comments one could also conclude this article and comments are self-serving to consultants and security experts whose jobs/businesses may be at stake but the silver lining is securing the cloud requires expertise as well.
Skin in the game
I think that once you stipulated all the penalties, punishments, and requirements you'll probably find that the cloud becomes far less attractive from a cost perspective as for everything you stipulate the price will rise. It probably pays to be a master of your own destiny.
There is a big difference between "can be" and "is" ...
.....and vendors love to exploit the difference.
So a sentence like "‘There’s a misconception that cloud is less secure than traditional IT environments,’ says Moss. ‘The cloud can actually be more secure.’”
... is a load of brown coloured spin.
I picked the picture of a vendor with his hand in your pocket.
Outsourced to IBM
This is correct especially if your data centre management is out sourced to IBM. They will do it as cheap as possible with all the management carried out by cheap 3rd world staff. Security is non existent and you could end up with your customer data being sold by the 3rd world staff to the scammers.
Just think about the calls some of you may have received from various scammers, where do you think they got some much high quality information on you!
True and False
2. True. You can even have "private" cloud (isn't that what we have now?)
3. True. Possibly. Why? Because they can make it their core business
We've made an active decision to not host the most sensitive data in our environment. Having said that, the company providing e-Data "Rooms" is certified and we go through due diligence before engaging their services and during the lifetime of the services.
The big point is understanding the services you need or provide and match those to the core skills you want to keep in-house. Everything else you consider for changing in your sourcing model.
Paris - who outsourced many things quite badly ;-)
I wonder how much IBM Cloud Hosting insurance premiums increased as a result of this idiocy. This kind of thinking is pretty silly.
Where is my data?
When Aggrieved and Litigious rock up to my cloud provider's head office or data centre with a writ of seizure in their sweaty hands will the law in whatever jurisdiction it happens to be support them or me?
Or will it never be put to the test because the cloud provider caved in at the first sign of a suited shark?
Price of storage...
...Is FALLING. Why would anyone want to use a cloud? Clouds are great for outfits like Google, or Yahoo or even M$FT, but who in his or her right mind would want to use a cloud for main storage, let alone vital data storage? I would not even risk my employee data on such a system, let alone any vital engineering data. That stuff stays under my lock and my key, thank you very much.
The end of Saleforce.com
@Billy Catringer: So I infer you believe that Saleforce.com is doomed?