Clouds are not secure, clouds are not reliable (Part 1 of 2)

Commentary - Recently I read a Bloomberg Businessweek article titled “Cloud Security Is Looking Overcast” that discussed several of the reasons many businesses either will not, or are reluctant to, adopt cloud services; especially public cloud services. While I do not necessarily disagree with the article in general, or even with what the author offers as reasons why businesses are concerned (and they are concerned) about the security or reliability of cloud solutions, there are a couple of additional items I believe are worthy of further discussion.

Myth-conceptions
Previously, I wrote about some of the myths of cloud computing. Reading the Bloomberg Businessweek article prompted me to expand my list. I would like to be clear, I am not at all stating that the author is wrong about the items discussed in the article, nor am I suggesting that businesses and IT managers are not concerned about them. The article addresses things I read about and discuss with people on a daily basis. I simply believe we need to continue the discussion and that doing so may help to dispel a couple of common myths about cloud computing. I will cover the first here, and the second in Part Two of this series.

Myth: (Public) clouds are not secure
The Bloomberg Businessweek article discusses some very valid concerns regarding cloud security including compliance with policies designed to protect a business from hackers and malware, and concerns over the security of data. Both are valid and without question, both must be addressed by cloud providers and cloud consumers. To illustrate the latter, the author provides a great example of a search engine company that is concerned that customers' sensitive search information will be left behind for future users of cloud services to discover, even after they have deleted it. (They guarantee their customers' data will not be kept anywhere.) This is a legitimate, well-known issue that has existed for decades.

To address this, some cloud providers guarantee that their customers' data is deleted and over-written before storage resources are given over to different customers. Others do not. It is important to know which policy your cloud provider follows, because file deletion can leave sensitive data on the disk. Recovering it might be analogous to the old detectives' trick of rubbing a pencil lightly across a notebook to learn what had been written on a recently removed page. This can sometimes be helpful, as it was when I was able to recover photos from a memory device that someone had accidentally wiped clean. In other cases, such as the one covered in the article, it can be potentially devastating to a business.

Beyond acknowledging this concern, let's take the discussion a step further.

While it is true that not all clouds are as secure as specific businesses may need them to be, I believe it would be untrue to state that all clouds are insecure. In my experience, that is a common - albeit frustrating - conclusion. It is also not the case that every cloud is secure enough for every business application; though there are plenty of very good cloud providers who can supply adequately secure environments to meet the needs of most businesses.

There are also cases where cloud providers can provide a much higher level of security than specific businesses are able to on their own, especially smaller businesses. Good providers will be laser-focused on security and they will have the additional advantage of being able to employ the highest level of security expertise - expertise that many businesses would never be able to afford. The providers' volume and business models will enable them to provide this expertise to their customers at a lower "cost per customer," and this is one of the key advantages of clouds. Though, cloud consumers should not assume that these services will be included in their cloud contracts, even when they are known to be offered by the cloud provider.

Diligent attention to the contract terms remains critical.

In Part Two, I will address another myth: (Public) Cloud Services are not Resilient

biography
George Watt (@GeorgeDWatt) is VP of Strategy, Cloud at CA Technologies. For nearly 25 years, George has been helping customers simplify and automate their complex IT infrastructures.