Computerised clouds are often similar to their water vapour-based counterparts; they're amorphous in the middle, and often fluffy around the edges. That can spell problems for IT departments when securing their private clouds, and for public cloud providers when locking down theirs. Danny Bradbury and Jim Reavis, executive …
its a misnomer...
.. the mere fact you've given the responsibility of your infrastructure to a third party means that, aside from you, somebody else has access to it. You've basically lowered the bar on the 'physical' aspect of a secure network.
Dumb article title
Everyone knows you cannot be "Fully Secure" no matter what you use.
A more appropriate title would be : "Can cloud based systems ever be as secure as their equivalent traditionally hosted systems"
Disclaimed: Didn't listen to the interview; maybe this was the first point brought up.
Not quite the right question
Not "Can clouds ever be fully secure?" - nothing can ever be 'fully' (100%) secure. Even getting to 99.99% imposes such costs (in implementation and impact on performance and usability) that most businesses would be silly to try to achieve it - leave that for the NSAs and GCHQs.
The correct question is: "Can clouds ever be secure enough (for our needs)?". To which the obvious answer is that it depends on what your needs are. If you're an aforementioned security agency, probably not. For most organisations, the answer will be a definite 'maybe'.
So: carry out a risk assessment to identify what your security needs actually are; choose a supplier that can demonstrate their ability to provide an appropriate level of security (by certification or through your own due diligence); negotiate a contract with appropriate safeguards and penalties - and Robert is your parent's brother.
Just to answer the question ...
Can clouds ever be fully secure?
Its that simple.
I see people selling services to customers on the cloud, but their own PCI compliant architecture is still well and truly locked down in their own datacenters where they have physical access to the kit.
I will be very surprised if anyone trusts the cloud with their own money.
Who put this presentation together??
The images are REALLY bad, and give the impression it has been put together by a 4-year-old. When the guy said 'this will probably take a while' (around 2m35s), and a crappy image of an old alarm clock appeared, I lost the ability to take it seriously.
Suggest it would have been better as an audio-only presentation, as this demonstrates neatly that there are times when no pictures are better than the wrong ones.
Didnt bother to watch the video
.... it's already common sense.
1] Keep my data in a small in house data centre
Hand over my data to a company who might not even tell me which data centre it's living in
2] Ensure it's kept in a UK facility
Hand it over to some random country in a totally different legal jurisdiction with implications around local law enforcement rights over my data that I don't even understand.
3] Keep my data in a small private facility with a relatively small Internet presence and attack footprint
Keep my data with a cloud provider who have a HUGE internet footprint and therefore a significantly wider attack vector. Which is a more tempting, appealing target? My crummy web server farm, or (for examples sake) Amazon's EC2 admin control panel?
Bye the way, if you do know where your data is being kept in a cloud facility, then it isn't cloud anyway really - that would be called managed hosting.
I don't think there's much question, cloud services are going to be the dominant force in computing for the next 10 years. The cost/benefit ratio will continue to improve and eventually outweigh the security concerns for most business.
The interesting thing here will be to see what happens when a major breach of security does occur with one of the large cloud vendors.
You may remember attempts to sue Microsoft back in 2003 for security breaches caused by vulnerabilities in their operating system. I'm not aware of anyone who was ultimately successful in those attempts, which begs the question of whether how blame will be partitioned out if (when!) a cloud vendor is hacked.
The easy answer would be to hold the collector of the data responsible, not the cloud provider. But imagine that ACS gets hacked and data from 30% of the F500 companies are affected. The number and size of lawsuits to spawn from that would be insane.
Right now, hackers have to work for their supper. Pick a target, find vulnerabilities, break in, learn the internal system, find the data, extract the data, profit, repeat. Putting it all in one place will change it from a grind to a footrace to see who can get there first. And they will line up -- oh how they will line up...
No, however it can be done.....
Agree with all the comments in principle, data residing in the cloud will never be 100% secure. Given the global reach of cloud solutions and the (typically US) origin of the suppliers, geographical and legal jurisdiction (eg. the patriot act) will never be overcome.
However, that doesn't mean cloud can't be used with "secure data", it's what the company I work for do.
It's a case of raising awareness that it is possible to do this instead of completely rejecting the idea that "secure data" can't be viewed through the cloud.
There is only a small subset of data that is truly critical and cannot go into the cloud. This data can remain on internal systems / servers inside the firewall and never reside in the cloud, but users are able to access the data seamlessly through the cloud.
maybe surprisingly, the answer is yes!
... but only for a short, highly unpredictable length of time - rather like chocolate teapots and paper bags full of water.
clouds and Security
Security is an OXYMORON when it comes to any Windows OS.