McAfee Labs

Jumping on the Cloud (In)security Bandwagon

By on May 12, 2010

A column published this week by Robert Westervelt states that federal CISOs who are delaying broad cloud-based deployments are doing so because they are concerned about security.  This is a sentiment that has been echoed several times before.  In Late 2009 Colt Telecom Group commissioned a study with research firm Portio which stated that 68% of European CIOs and IT decision makers say security fears prevent them from adopting cloud-based services.  Other, similar studies have also been performed by other research firms and those who responded that security in the cloud was their largest concern have ranged from 55% to 70% on average.  This is a serious image issue that cloud-based services need to address if the space is to remain viable long-term.

This discussion begs the obvious question: Are cloud-based services more secure than providing the same or similar services in-house?  My response to this question is “they have to be.”

It is not uncommon for many small and medium sized businesses to have a skeleton IT staff who have way more on their plates than they are capable of handling at any one time.  These technology stalwarts put in long, hard hours having to support user desktops and laptops, they also support the network, mail servers, finance and billing systems, the corporate intranet, and other critical systems just to keep the company’s day to day operations running smoothly.  Security is frequently an after-thought and is done in the IT department’s “spare time” (quotes added for comedic emphasis 🙂 ).  By nature of the inherent fact that cloud providers who are storing your sensitive data are also storing similar high value intellectual property for other companies as well, failure to secure their infrastructure and your data is paramount to their viability as a company.

So, “they have to be” may not be the most quantitative and convincing argument, which leads me into what I believe will be necessary for the cloud-provider space to continue to be a viable alternative to in-house solutions long-term and what organizations will be looking for in order to calm their fears that the cloud is a “cowboy” space that cannot be trusted: adopted standards, best practices and benchmarks.

The Cloud Security Alliance has taken the lead in this area by publishing several best practice documents and research documents that relate to critical focus areas and best practices for cloud solution providers to follow.  This is a great first step. The next key is for companies who are serious about surviving in what is going to be an ever more competitive space to adopt these best practices and standards.  As cloud service providers adopt these standards and obtain critical certifications (e.g. ISO 27001) that differentiate themselves from their competitors, we will see more benchmarks which will compare them on a level playing field and truly separate those who are serious about being players in the cloud services space for a long time to come and those who are just trying to ride the wave and make a quick buck before the next wave comes along.