I get a lot of feedback when I mention the Cloud and cloud-based services. A lot of negative feedback. Many readers, like yourself, explain to me with sound and fury about how the Cloud isn't secure and that it is an easy target that's just waiting to be hacked--or perhaps even waving a red cloak in front of black hat hackers. The Cloud beckons all criminal hackers to come a-runnin' with all tools in hand ready for easy pickings.
If that's really the way you feel about the Cloud, then tell me (and the rest of us), how the Cloud can be made secure?
Will it require one or more of the following?
- Two-factor authentication
- A proprietary secure channel
- A new Cloud-specific protocol
- A new extreme encryption level
- An acceptable level of risk
I want you to consider each of the options I've given and tell me what you think. You can also respond with ideas of your own, if you feel that any of those won't work.
Allow me to consider the five options from my perspective.
- Two-factor authentication - This would be an expensive option although very secure. This method would require each Cloud user to have a secure token or gadget that randomly produces a key code that allows connectivity to their Cloud infrastructure. It would also require that the user connect to Cloud systems with a user name and password.
- A proprietary secure channel - This method would require that the Cloud provider distribute a piece of client software to each customer with a specific connection code, kind of like a license key. The key would validate the client software, customer location and a username/password combination to secure the channel.
- A Cloud-specific protocol - A new protocol could take years to implement but it could work. For example, it could link two sites together for Cloud use with some sort of end-to-end verification so that no man-in-the-middle attacks or spoofing could occur. This new protocol could also require new client and server software but at least this time, programmers could get it right by having the time to create a truly secure communications link.
- A new extreme encryption level - Most encryption levels can be hacked with some effort but if a new super encryption level were to be created, it would prove virtually unbreakable at least with currently available computing power.
- An acceptable level of risk - This seems to be the least popular, although the most likely, scenario. Vendors will do what they can, within reason, to secure systems and communications. The problem with the other four options is expense. With competition constantly driving prices downward, vendors have to make a 'best effort' and rely on best practices to provide as much security as is reasonable for the price. That means accepting a certain level of risk.
I'm in favor of a secure Cloud. No one wants to have their data stolen. But, no one wants to pay for the extreme security required for a non-confrontational view of the Cloud. I think that we have to strike a balance between price and security for the Cloud to become a reasonable place in which to do business.
The question is, "How much risk are you willing to accept?"
Write back and let's discuss the options that you think will make the Cloud an acceptable place for business and data.