CXO

Why promises about cloud security make me uneasy

A security breach in the cloud could be more of a problem than a problem on an internal network.

The debate around cloud rages on multiple fronts in terms of use, cost and security. The reality however is that more and more technology products are moving to the cloud and companies will likely only offer cloud options in the future.

The reason is simple: it is easier to deploy and sell and the recurring revenue from subscription versus software purchase offerings is far too attractive from a profitability perspective for suppliers to ignore.

Cloud is a gigantic concept that serves many applications and functions. It includes SaaS, PaaS, IaaS, storage and back up as well a distributed application architecture. It is difficult to compare Dropbox to Salesforce or AWS to iCloud, they are all cloud but with very different users and functions.

Security in the cloud is an ongoing concern, and depending on which briefing I attend the cloud offers more or less security than traditional system architecture. There appears to be no consensus and much debate on this. We have all heard about breaches of iCloud and how easy it appears to be to break into personal cloud spaces.

Cloud companies will tell you that their products and services are secure and you can use security products to ensure that your data and applications are secure. I am a bit skeptical.

I can maintain and monitor use and access to my user base and interrogate logs of application use however I lack key visibility when in comes to the cloud - into the backend architecture and I do not know the capabilities of the cloud provider and their teams to view or see data within my cloud offering.

This disturbs me because unfortunately what I don't know can hurt me. Fundamentally, I am left with a prevailing perception that cloud has as much or more vulnerability than my internally managed applications and infrastructure providing I have invested in the proper security platforms and monitoring.

I can unplug my network in a worst case scenario and in the cloud world this is much more difficult to achieve if a major breach of data is realized.

I recall the fear mongering words I hear in every security conference from RSA to Blackhat that continue to repeat the catch phrase "it isn't a matter of if but when your network or application gets breached."

If this is true then regardless of what providers say it is still only a matter of time before my cloud application gets breached.

How comfortable am I in being able to manage a cloud breach? Not very, in fact I am less comfortable with a breach in the cloud than I am in my own network.

I lack control of the cloud and am dependent on a third party vendor for disclosure and transparency which I feel in the case of a systemic breach would not be easily available if at all. In addition, the ability to get useful log information from shared devices that isn't dedicated to my business from past experience is impossible.

So regardless of the debate being had I feel very uneasy with security in the cloud no matter how many vendors seek to dispel these fears.

My challenge is I do not yet have a plan to tackle it and I have no power to stop the cloud growing and being adopted without impacting progress within my business.

The Naked CIO is an anonymous technology executive.

More from the Naked CIO

The CIO's real security headache

Naked CIO: Where's the innovation in IT?

It's time to tell the truth about bad data

Naked CIO: Why it pays to pick your battles

Editor's Picks

Free Newsletters, In your Inbox