Numerous studies (2013 Cloud Computing Study) have suggested that cloud security is a major adoption stumbling block for major enterprises. I think this is bogus. It’s not that I doubt the study results but I think that security is the “excuse” executives and people use in general when they don’t want to do something or don’t understand the benefits of something. It sounds more intelligent and risk averse to say “security is my concern,” than “I don’t know what benefit the cloud has for me.” or “I don’t understand it.” I hope that doesn’t come across too harshly. I didn’t mean to indicate that these people are even consciously choosing to say that to avoid saying the other things. There is nothing wrong with saying “I don’t understand it” or “I don’t understand it’s value.” It’s just that referencing security sounds better and is not arguable because to argue with someone about the security the arguer ends up looking like a risk taking fool. There are plenty of examples of cloud “insecurity.” There are also many examples of non-cloud security problems.
For me the reason I say all the above is that I’ve heard this so many times before. Believe me I am not minimizing the importance of security. I am minimizing what people think is the difference in security they are achieving by avoiding the technology X. I remember very distinctly how people would tell me that nobody would be stupid enough to put their credit card on the internet. This was naive to me because we all have little slips of paper with our credit card information in restaurant garbage heaps with our credit cards imprinted on them. The fact is that credit card fraud exists and it was no more likely to be a problem on the internet as it was in real life since the whole system is extremely easy to defraud. I was aware at the time that the encryption used for http while less than perfect is a lot better than the rolling copying machines used by my pizza delivery guy. How many times have you left a credit card at a restaurant or some other place? The argument seemed stupid at the time and I think the cloud security argument is not much different.
The fact is that as soon as people saw some bargains and things that were valuable to them on internet web sites their concern for credit card exposure disappeared overnight. I am pretty certain that this “cloud security” impeding enterprise adoption of the cloud is the same exact thing. If the cloud offers a reason people will find a way to justify using it regardless of the “cloud security” argument. The fact I will argue in this post is that cloud security is no different than the security you have in your enterprise today. This is simply not a good reason to avoid using the cloud.
Let’s take one example. Salesforce. What could be of more secure nature to most enterprises than their sales data, customers and key exchanges with them. What could be used by a competitor more swiftly than some juicy gossip about who your customers are and what they paid when for what. Yet Salesforce has won big corporate customer after big corporate customer. The security argument was used with them at some point but small and big companies use Salesforce today. The same is true with a raft of SaaS companies. If the product actually delivers a value then pretty soon after that the security argument becomes a detail to be worked out somehow.
The government has some of the most secure sites and technology available and practices secure policies. What happened there? Edward Snowden uses a USB drive to copy megabyte after megabyte of secure information and willy nilly distributes it. I remember financial companies I did business with would sometimes epoxy the USB ports of the computers to prevent USB sticks from being inserted but this also meant people didn’t have access to external keyboards, mice and other handy things that USB ports are good for. How many enterprises still have such policies? How many people do such policies really stop vs other ways to acquire the information if one is at all creative or motivated. The primary vector for loss of information is human leaks from inside people. This risk exists whether the information is in the cloud or sitting on the most secure computer in your network. If someone can see it on a screen there is almost certainly some way to copy it and eventually distribute it if the person has a motivation for doing so.
The point of this is that most data breaches are a result of an inside job. Therefore it makes no difference where the data is stored. I’m not suggesting being lax about security. I’m simply saying that the assumption that cloud security is worse than your own security is something that is hard to prove in practice.
Here is an article that provides some meat behind these statements
That is NOT to say that it’s irrelevant to consider cloud security. Quite the contrary. I am saying the problem of cloud security is not inherent to cloud but security is a problem that most enterprises have and the cloud does not inherently exacerbate it. What we have to do is establish good policies across all places where corporate data resides and recognize there is nothing we can do other than to apply the best practices we know. A CIO at Netflix 2 years ago said that of the thousands of computers in their networks you have to assume that some have been compromised with various malware, viruses, spy software or other even more malicious technology. Cloud companies use the same technologies you and I do to secure our enterprises. They are more likely in surveys and studies to perform these tasks more securely than your company and you are. The article above suggests that many corporate security policies are flawed. It is a specialized core competency to understand software security and it is more likely a software company understands the procedures and people to insure that security than a random company.
The 4 walls of the enterprise are breached by numerous “other things” from BYOD, SaaS, PaaS, APIs, mobile applications and cloud solutions of all types. More and more companies are having their 4 walls slowly being turned into swiss cheese because they use SaaS applications of all types which have pushed secure information into the cloud. Even for companies that think they keep strict control of all these things and keep their workers working in the dark ages without all these great tools there are still projects in distant parts of the company doing things that violate company policy, under the radar skunk works projects have always existed and today more than ever and all using things which violate company policies. Lastly, a survey of where the most skunkworks projects are being done inside companies? IT departments are the biggest to break their own rules. Seriously is anyone surprised?
I am not saying that security, risk management is hopeless or that it is terrible everyplace and we are doomed. I am simply saying that when one considers the security of the cloud you have no choice but to live with it and adjust, establish best practices and enforce them uniformly. It is not possible to live without the cloud and BYOD and SaaS applications and if you think you can you are either probably fooling yourself because parts of your organization are doing it anyway in various skunkworks projects that are not transparent to the organization or you will suffer a lot of impact from not using this technology. The more you make it impossible for people to utilize new technology the more they will strive to work outside your system and do something stupid which ends up defeating the whole purpose of the controls. Does this seem right? If so, then you need to embrace and learn about this new technology and learn how to be secure with it.
WSO2 is used by major companies throughout the world including airlines, banks and we supply world class Identity Management product as well as OAUTH, 2 factor authentication, single sign on federated identity management and other security technologies. All WSO2 products can be secured using various security protocols. All WSO2 products are cloud-native, multi-tenant and can be deployed securely in the cloud. We provide best in class security in API Management, Cloud Gateway, Governance Registry and WSO2 Enterprise Store.
Please sign on to follow my twitter feed as well. @john_mathon
4 thoughts on “Security in the cloud age”