Wednesday, October 7, 2009

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

What is the minimum security due diligence that a company needs to do before putting it's data in the cloud?

Since 2007, Amazon has been telling us they are ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II"  but these have not happened in 2+ years.

On one side of the cloud security issue we have the marketing people, who hype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. And there are also Chicken Littles who are running around crying that the sky is falling.

The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.

Can you put the New York Times on a cloud server? Of course, provided certain basic security measures are taken. After all, the Times is designed to be accessible to people (forget the stupid PayWall experiment they tried a few years ago)

On the other hand, you should not leave your customer's credit card data on Amazon EC2--they specifically suggest you don't do that.

Another problem is, people are still not sure what "cloud" is. I saw a cartoon recently: "I fell down the stairs and something white is sticking out of my arms, and it hurts like hell. Is it swine flu?"

Most cloud security questions feel like that to me, so I have been accused of ranting in a presentation I did in September. Enjoy.