For the cloud to thrive, security must be better

For the cloud to thrive, security must be better

Summary: Enterprises look at this new concept of cloud computing and compare it too closely to how old school IT should be managed. It has got to improve says Engine Yard's Tom Mornini.

TOPICS: Security, Cloud

Commentary -The growing success of cloud computing is driving every organization in every industry to understand how the cloud affects their business. Cloud, as a topic of discussion, has moved beyond developers and IT organizations and into the boardroom of the world’s most prestigious companies such as NASA, Eli Lilly, and 3M – all of which are leveraging the cloud in some way. While debate rages about the benefits that cloud computing delivers, few topics at present are debated as hotly as cloud security.

Security is one of the most talked-about concerns in computing, but it is mostly due to confusion about how cloud security works and how companies should go about managing it. In many instances, enterprises look at this new concept and compare it too closely to how old school IT should be managed.

Today, enterprises are demanding that cloud providers continue to innovate on behalf of the industry and use, adopt, and even develop standards to drive performance, scalability and user satisfaction while exceeding the highest levels of security according to traditional on-premise IT. It has become very clear that while many enterprise IT folks appreciate the cloud, security has become a lynch pin of sorts by those who are resistant to the concept. For this reason, I believe that cloud security must be superior to traditional computing security before it will be fully accepted, as the risks are too high for enterprises to bear.

Here are some factors to keep in mind when deciding whether or not cloud security is good enough for your enterprise:

Reasonable security standards
A large number of data breaches occur because of issues with internal security and protocols. Security concerns are the number one roadblock to enterprise adoption of cloud computing, yet most security breaches occur on-premise. Whether it’s a code glitch, unencrypted network traffic within a secure data center, a disgruntled employee, or a thief on your payroll, enterprise data may well be more secure in the cloud.

The case for public cloud
While it may sound counter-intuitive, I firmly believe that applications deployed to public clouds will prove to be more secure than those deployed on private clouds. Why? Because the on- premise approach to security is the modern day equivalent of the Maginot Line: Data security can only be guaranteed if the data is entirely secured from attacks from all directions. Putting data in a building secured by a guard in front of a large steel door is not the answer to today's security problems!

Physical security is important, but it is short-sighted to believe that vendors and outside companies cannot physically secure your data as comprehensively as your own organization. Since when is managing data centers, servers and switches a unique skill?

How cloud security is different
Applications built and deployed on public clouds are not secured by traditional methods, but instead will rely on methods that are appropriate to modern concerns. Public cloud security should ensure that the people who understand and know about the data aren't the people who secure it digitally, and also aren't the people who handle the physical infrastructure.

Imagine trying to physically take data from a public cloud provider:

Step 1) Break into the well secured data center
Step 2) Behold hundreds of racks of identical servers
Step 3) Attempt to locate servers storing desired info
Step 4) Realize there are no labels and no physical proximity to aid in locating these servers
Step 5) Unrack or gain root access
Step 6) Say hello to the IaaS vendors’ security detail and local law enforcement

When you take a close look, it’s clearly not practical. :-)

The importance of security professionals
Security professionals are some of the most important hires enterprises make. Unfortunately, security does not show up on the bottom line. If I were running a media company, my highest goals are not likely to include building a crack IT security team. In fact, I’d want such a team about as much as I’d want a team of electrical engineers on the payroll to run the power plant behind the building!

IaaS providers have incentive to build highly specialized teams that know how to secure data. All of these organizations have vast security expertise specialized within their functional domain. Moving to the cloud can benefit and augment an enterprise’s security capabilities by allowing teams that are larger, and more specialized, to focus on securing enterprise applications. These external teams can handle the day-to-day tasks of securing the bits by monitoring vulnerabilities in stack components and patching them, data backup, OS hardening, etc. This will free internal security experts at enterprises to manage security of the application itself.

Two questions executives aren’t asking
I believe that the two most important questions are not getting asked at all:

  • Are all stack components open source projects that are fully transparent and scrutinized by huge numbers of third party technologists?
  • How is encryption being used to increase security?

Public cloud security addresses top threats like malicious insiders, unencrypted packet hijacking, and shared technology vulnerabilities. Executives who appreciate the benefits of cloud computing concepts in general need to understand all of the advantages before deciding that they’d be better served by building a cloud behind their own Maginot line.

The bottom line is this: “We’ve always done it this way...” is NOT the way forward.

Tom Mornini co-founded Engine Yard to provide the infrastructure and support necessary to fuel development of Ruby on Rails applications. He has spent nearly 30 years as a software programmer and software architect with experience encompassing nearly every major development platform in that time and 20 years leading companies as a serial entrepreneur.

Topics: Security, Cloud

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • *sigh*

    Lemme break this down, since it appears that half of ZDNet doesn't get it...

    If someone gets the data off the server rack in my office, regardless of how they do it, it's my neck on the line.

    If someone gets the data off a server rack in $IAAS_PROVIDER'S data center, regardless of how they do it, it's my neck on the line.

    If I feel that a security measure is necessary, I can very easily implement it on the servers in my office. I have quite the uphill battle to get an IaaS provider to make a change on my behalf.

    If my data is on my server rack and i decide that I want to use a competitor's software, I'm responsible for making the change and migrating the data, as it sits on hard drives I can physically touch. If I want to change to a different IaaS provider, I may or may not get my data back, and even if I do, I have absolutely no guarantee that they'll actually delete the data once we terminate the contract.

    If I want to update a piece of software on my servers, I can do so on my timetable. If Google decides to update Google Docs and I don't want them to, I have no say in the matter (yet am still bound by point #1).

    If a SaaS provider has my data, they therefore have no incentive to continue innovating their software, since we're paying the bill whether they're coding or not.

    Cloud computing seems great on paper, until you have your first conference call with your SaaS provider, they tell you "we won't do what you want us to do". If you sir have not hit that point yet, drop by my office one day and I'll introduce you to a few people who can tell you story after story after headache-inducing story about how the few SaaS providers we HAVE been using have been nothing but hell to deal with, to the point where people are begging to go back to the terminal emulators on our 25 year old AS/400 system.

    • RE: For the cloud to thrive, security must be better

      Hi Joey, there really are IaaS providers out there who care and will go above and beyond, and aren't just "cloud providers". Not sure if this is kosher to sorta advertise, but you should definitely talk to us at

  • RE: For the cloud to thrive, security must be better

    "Since when is managing data centers, servers and switches a unique skill?"

    It's less about skill and more about time tables. You're at the mercy of your provider's time table, whether it's a reasonable time table or not, if you're on the cloud.
  • Yawn...

    What do you know, another ZDNet blog about "the cloud." Are you writers so bereft of ideas that all you can think of is to ply us readers with more of the same old drivel. How many blogs does that make, 10,023? Once again, we all will elevate to "the cloud" within mere microseconds and American society will be saved from itself if only we can be made to believe. What utter crap.
    • RE: For the cloud to thrive, security must be better

      @nikacat exactly.
  • Yawning also...................

    Like most of us who've been in the IT industry for longer than we care to acknowledge, I've seen things come and go. Until something revolutionary comes along (and it's been quite some time), buzzwords like 'cloud' will continue to roll along - lining many pockets (marketers, consultants....) with cash as they go.

    Weather Report: The 'clouds' will clear and we will have blue skies again in the not too distant future.