A Thought Exercise on the Security of Cloud Computing

A Thought Exercise on the Security of Cloud Computing

August 7, 2012, 11:29 pm
Filed under: Uncategorized

There are many who believe that the security of content stored in the cloud is inferior to that of on-premises systems.  Given the recent and well-publicized problems with Dropbox, for example, critics of the cloud – at least in the context of security-related issues – have been given fodder for their beliefs.

That said, I thought it might be useful to see if cloud security really is lacking when compared to its on-premises counterpart.  Given that there are numerous places at which security breaches and related problems can occur, here is a very simple thought exercise to consider:

• Employees:  numerous studies have demonstrated that employees are the most common source of data breaches and related infractions.  Most of these are inadvertent – such as sending an email with confidential information to the wrong person, mistakenly posting sensitive content on a Web site, or employing weak passwords – but in some cases an employee maliciously breaches or steals information.  If all data is in the cloud, employees can still be just as responsible for committing both types of data breach.  However, given that some breaches occur when someone loses a backup tape, the cloud can actually be a bit more secure given that backups of cloud-based data are normally managed by the provider, not internally.  The security nod here (albeit only a slight one) goes to the cloud.
• Malware:  another potential source of data breaches can occur when malware infiltrates through a rogue application, an employee-owned device, etc.  Various types of consequences can ensue, ranging from minor irritation to massive data loss.  Here, too, I believe that the cloud has the edge over on-premises systems, at least for the latter in SMB environments.  The problem is not with the on-premises technology per se, but rather with the level of investment that smaller organizations – and even some larger ones – are able to make to meet the malware challenge.  Cloud-based providers, particularly larger ones, normally can make the significant investments required to protect data.  Advantage cloud here, as well.
• Hackers:  there have been numerous incidents of hacking in recent months, resulting in the theft of login credentials, data and other confidential and sensitive information.  Here, I would give the nod to on-premises infrastructure – not because it is inherently more secure, but rather because the typical company represents a smaller target than a major cloud provider and is simply less likely to be the victim of a robust hacking attempt or advanced persistent threat.  Advantage cloud, but not because of the robustness of on-premises technology.
• Physical security:  if you could win a $50,000 prize for walking up to and touching a live email server or getting your hands on a backup tape of sensitive data, would you be more likely to attempt to do so at a) your company or b) at a Google, Rackspace or other major cloud provider’s data center?  I think most of us would opt for a) given that there is normally less physical security (two-factor authentication at doorways, video cameras, alarm systems, etc.) in most companies than there is at a major provider’s data center.  Here, the advantage will normally go to the cloud.

A couple of important issues to consider:

• First, you hear more about cloud providers’ data breaches and other security lapses simply because they’re more impactful and more interesting to report on than a data breach at XYZ Manufacturing or a rural school district in Nebraska.  This doesn’t mean that cloud providers suffer more data breaches, but rather that they’re a bigger deal than the same type of breach that might occur 50 times a day elsewhere.
• Second, security should encompass a wide variety of issues, not just the choice of where your data is stored or who manages it.  Good password management, user education, sound retention and deletion policies, monitoring, etc. are all part of the mix and must be part of the security discussion regardless of where your data resides.

About these ads

1 Comment

1 Comment so far
Leave a comment

RSS feed for comments on this post. TrackBack URI