Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Mark Everett Hall

Sanity as a Service

Cloud computing safer than on-premises

6 comments

TAGS:cloud security
IT TOPICS:Management, SaaS & Cloud Computing, Security

To some people the cloud is a scary place. When they think of cloud computing they envision thunder and lightning and stormy weather, not blue skies and clear sailing.

A couple recent Computerworld stories (here and here) feed those fears. Although the stories offer solid security advice to consider before putting any company applications and data in the cloud, the primary assertion of these and other stories is that cloud computing is less safe than on-premises computing.

But there is not much, if any, data to support such an assertion. In fact, most known security breaches that have happened occured in on-premises data centers, which should spur the opposite notion: cloud computing is safer than on-premises computing.

Before anyone can categorically declare that data in the cloud is safer than data in an on-premises data center, or vice versa, there needs to be a quantitative study. If there is one, I'm betting computing in the cloud comes out ahead.

For a cloud computing provider, the business is IT. For most companies, IT serves the business. As a result, a cloud computing operation's primary business investments will be in the computing infrastructure and staff. In most organizations, IT competes for limited resources and people.

A cloud-computing security breach is likely to kill the business. One would expect the security systems to be second to none and security processes be razor sharp and monitored with a vigor augmented by a CEO's and CFO's dogged attention to the bottom line.

Just because it seems logical that data outside your on-premises data center will be safer doesn't mean that it is, especially when there's no data to support the logic. I admit there's also no data to support my logic, which is why the industry needs a detailed study of which approach is empirically safer.

Email this

Digg this

What People Are Saying

Add new comment

All things are relative

Submitted by Pete Lindstrom on March 11, 2009 - 11:16 A.M.

This is clearly an "it depends" kind of issue, so I don't know how you could do quantitative research that would be useful to a broad population. It is easy to conceive of scenarios where the cloud would be safer and just as easy to identify scenarios where it would be less safe. What matters is comparing cloud to your current state.

Details on the points of comparison here:

http://spiresecurity.typepad.com/spire_security_viewpoint/2009/03/is-cloud-computing-more-secure-or-less-secure.html

Pete

Reply | Report this comment

Agreed

Submitted by Dustin Amrhein on March 9, 2009 - 4:32 P.M.

I agree that some sort of quantitative study is needed to compare security in the cloud versus in the data center. Whether or not security is better in the cloud or on premise, there isn't much arguing that the perception that security in the cloud is not as good is among the inhibitors to wide-spread enterprise adoption of cloud computing.

Regardless of what the results of such a study bore out, we would have actionable items. We either work toward fortifying the security within clouds, or we start changing the perception of cloud security.

Reply | Report this comment

Let's take another look at that

Submitted by Anonymous on March 9, 2009 - 12:06 P.M.

Security does not necessarily imply a breach. Suppose you're the national defense department of a foreign government or just the president of the US. How much can you trust that the service provider will not access your information or destroy it at a most convenient time (like when let's just say the last payment didn't make it in time).

Reply | Report this comment

A quantitative study?

Submitted by Christofer Hoff on March 9, 2009 - 9:06 A.M.

While I don't disagree with the basic tenets of your argument, the reality is that you're suggesting we compare apples to apple seeds...

There are simply not enough enterprises (if any) who have migrated substantial amounts of critical/confidential data that was previously located on-premise to off-premise "Cloud" providers that would allow for such a study.

However, to your point, Google and the GoogleDocs platform just suffered a cross-contamination privacy issue, Monster.com has had breaches, Salesforce.com has also...they are all "Cloud" providers.

...they're also still in business after their incidents, just like TJ Maxx is in the "real" world.

How does that reflect on your assertion (or lack thereof?)

Safer? More secure? How about just as insecure as enterprises with less scope?

See here:

http://rationalsecurity.typepad.com/blog/2009/02/what-people-really-mean-when-they-say-the-cloud-is-more-secure.html

/Hoff

Reply | Report this comment

Exactly

Submitted by Mark Everett Hall on March 9, 2009 - 12:40 P.M.

There are problems on both sides. But there's a logic-based argument that bends reality to assuming non-cloud computing is safer; just as there's a logic-based argument the other way.

What I'd lie to see is a research study that analyzed the security violations and measured them for cloud and non-cloud environments. How many breaches? Data lost? Cost of each case studied?

There will be problems on each side, but if we know the facts we can make more informed choices.

Reply | Report this comment