Cloud Computing and the Assumed Lack of Security

At a discussion with Oracle President Charles Phillips and Matt Trevathan last night, the question of whether or not Cloud computing or grid computing systems are inherently weaker was brought up.  The question was raised related the privacy concerns of people’s data flowing across “foreign” systems, and the duties of the organizations involved in utilizing these systems.  The discussion was interesting and you can see my article on it here, and the archive of the live broadcast should be posted here at the MIT Forum in the next couple of days.

One token I want to highlight from the discussion is the concept that utilizing services is inherently insecure.  I don’t agree with this flat assumption and despite a great deal of discussion feel that SAAS and Cloud type systems can be equally as secure as internal operations.  Beyond that I feel that we have allowed a bias assumption be introduced into our quantitative risk calculations.  That bias is – we don’t own those, Amazon for instance, AMI’s and don’t control physical access to those systems so we have less confidence in them.  True we don’t have access and others DO have access – does that make them inherently insecure relative to other such systems?  By other systems I am implying the Internet itself.  We currently operate our own data centers in the happy walls of our buildings and push packets out of our firewalls to clients, suppliers, BPO providers, 401k processors, partners, remote offices, home office team members, coffee shop workers, and numerous other locations.  The fact is that there are likely 20 devices in line that we have no control of whatsoever!

The impact is we must establish secure communication technologies between points A and B; we must place laptop encryption on portable devices; we must establish certificates and authentication mechanisms to ensure the authorized persons and systems are communicating, and we must have agreements between all the parties.

The fact is the situation is the same.  Controls are required, assurance is mandatory, and we must have confidence.  Check out the discussion on GPB, and please add to comments any further thoughts.

How does this fit in with PCI DSS and other regulatory concerns?  Simple – the technology platform is evolving, we currently consume dozens of services that are hosted and managed on the Cloud, and it is only going to grow.  Hybrid models will be with us for a very long time.  The good news is current legislation and mandates do not restrict the use of such systems and have sufficient language to leverage these technologies while meeting the intent of the regulations – securing the data.

Kind Regards,

James DeLuccia IV

Advertisements

One response to “Cloud Computing and the Assumed Lack of Security

  1. Can one be PCI compliant if they are on the Amazon EC2? or does that alone disqualify you even if you followed security best practices?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s