This is the third entry in a series on the Case for Cloud (see part 1 and part 2).
There is plenty of information and opinion available about the risks of cloud computing. The Cloud Security Alliance puts it succinctly: "...customers are also very concerned about the risks of cloud computing if not properly secured, and the loss of direct control over systems for which they are nonetheless accountable." A search for cloud security risks offers up a plethora of expertise on the many risks of adopting cloud computing, as well as advice on what to do about it. Such threats include insecure application programming interfaces, malicious insiders, data loss, and account hacking. Sound familiar? Anyone that is accountable for information systems today will recognize these threats, because they are pretty much the same as the threats faced in any proprietary, non-cloud environment. The issue isn't one of threats, because those are everywhere. The issue is the loss of direct control.
To show that risks in your non-cloud environment are just as real, let's take a quick review of 2010. According to Symantec's Internet Security Threat Report, the average observed daily volume of Web based attacks was 93 percent higher than in 2009. Symantec discovered more than 286 million unique variants of malware. 6,253 new vulnerabilities in software were detected, another record. The underground economy is booming, costing just $15 for an army of 10,000 bots to launch attacks against a target, such as denial of service.
The US government has realized that its agencies must consume a large amount of cloud computing from many vendors, both to achieve greater efficiency and to take advantage of new capabilities. In order to address security concerns it has initiated the Federal Risk and Authorization Management Program, or FedRAMP, a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Perhaps this will help set standards and build confidence in cloud computing practices that will also be enjoyed by the private sector, but it will certainly force many cloud services vendors to put attention to security and greatly improve their offerings.
Given that many of the threats to cloud computing are similar to normal information systems threats, and with programs like FedRAMP focusing the industry to improve security for cloud environments, is there merit to the argument that an enterprise IT manager actually does have better direct control - better security - than a cloud service vendor they may be considering? To believe that, an IT manager needs to accept two assumptions: that network and computer security can be reduced to practice like other disciplines, and that the expertise to configure and administer a network will continue to be available.
Many of the technologies we are enjoying seem to be developing at a faster rate than we can learn them, but there is hardly anything moving faster than malware. While there are many foundation principles for network security, in practice as the software we purchase gets larger and more complex, so too do the vulnerabilities and the many kinds of attacks that will take advantage of them. Not too mention all of the clever forms of "social engineering" that continue to amaze us with their unrelenting creativity. Even if an IT manager does manager to hire the best-in-class security talent, those people cannot be effective without the resources to keep current - really to fully participate - in the security community.
According to Gartner's 2010 CIO Survey, "...enterprise security projects often lag behind other IT areas... security technology projects came in ninth, behind up-and-coming technologies like virtualization, cloud computing, Web 2.0 and mobile technologies, among others." Can CIOs possibly believe that they are able to provide adequate security, better than the cloud vendors they don't trust, when they are not prioritizing the resources to get it done? Possibly they do believe that. And possibly the lack of security resources is what is continuing to make them attractive targets.
This assumes that the CIO/CSO can find the right talent in the first place. Even with the economic downturn and companies de-prioritizing security, the salaries for security-related IT personnel such as network and systems security administrators is rising more than 4% per year, according to the Salary Guide 2011 by Robert Half Technology. This talent is in hot demand. So where are the best security professionals going to find work? At the company that is not funding resources? Or at a cloud vendor?
It is certainly possible for a company to achieve best-in-class performance and maintain effective direct control over network security. But it seems that fewer companies are budgeting for that outcome nor will they be able to get the talent to make it happen. The solution? Outsource the problem to a cloud services vendor.