Security better in-cloud than in-house: Google

Organisations worrying about moving their infrastructure to the cloud should worry less about security, as most of the time it's actually more secure, according to Google.
Written by Michael Lee, Contributor

Although security is one of the top concerns for when it comes to moving to the cloud, it's more secure than what most organisations are currently using, according to Google Enterprise Director of Security Eran Feigenbaum.

"Cloud is typically less expensive than traditional on-premise software — especially if I start adding all the other costs of backup, antivirus, storage, etc — but it shouldn't mean that it's cheap [in terms of quality]. There may be different providers and different solutions that are intended for different purposes [...] but I believe that cloud computing, compared to most organisations [and] what they're doing today, is probably more secure."

Feigenbaum, who spoke at the Australian Information Security Association's National Conference 2012 in Sydney today, qualified his claim, saying that the level of security would be different depending on the type of organisation and who the cloud provider was, but he said that in most cases, his claim still held true.

For those organisations who believed that cloud providers could do a better job at managing security when it came to accepting a software as a service offering, Feigenbaum said that there were a couple of things they could do to ensure that they aren't being taken for a ride.

He first pointed out that, with an infrastructure as a service model, organisations are still in control of the security of the services and software installed, so in order to truly offload the day-to-day security of services, they needed to go to the software at a service level.

However, this would present a new challenge in determining how secure the provider is, considering that most cloud providers don't like customers tinkering around with servers.

"Most likely, your cloud provider is not going to allow you to run forensics tools on their server. They're probably not going to even let you into their datacentre, period."

Instead, he pointed to the various compliance schemes that cloud providers generally abide by, and that organisations interested in their offerings should use the resultant audit reports as a guide.

Organisations should demand to see a copy of that audit report, he said, and that any vendor who refuses to, probably has something to hide. He acknowledged that the report would likely have confidential information in it, but pointed to the fact that other cloud providers, Google included, were freely providing these reports to would-be customers.

But no matter which provider an organisation picked, Feigenbaum warned that no one was immune to attack, and that if a breach occurred, customers should fight for the right to know what happened.

"One thing I would insist if you are moving to the cloud, and contractually insist, is that if there is a security incident affecting your data, that your provider needs to tell you. There's no if, ands, or buts," he said.

"You may not need to know the specifics, but you need to know what data was affected, when it was affected, and what your cloud provider did to remediate that."

Knowing about it isn't enough, however, and Feigenbaum suggested running security drills so that organisations knew how to respond effectively, and weren't learning how to do so in the midst of an actual security breach.

To assist in being prepared, he suggested putting in place an incident coordinator — "somebody whose whole job in life is to respond to that incident, to triage whatever is going on, and they have authority from the top to pull whatever engineers they need, to interact with PR, to interact with customer support, to interact with customers themselves."

He explained that another benefit from the exercise and the appointment of an incident coordinator would be that organisations can take the lessons learned and bring them back to their cloud provider, to determine what actions they will take and how they will work with them in the event of a breach.

Editorial standards