Summary
One of the biggest hindrances to rapid adoption of cloud computing, particularly for enterprises, is the level of security available. The question that inevitable arises is “Is my data safe?” The answer appears to be “Sortof!”.
Analysis
Nearly everyone running an application on a server wants to keep their data secure. At least, they want to be able to control which data is available to the public, which data is available to selected groups of individuals, and which data is available only to them. Beyond that there are really only two considerations that drive security concerns: How important is maintaining actual control, and how important is the proof of control?
All security is a trade-off between cost and inconvenience versus control. Complete control (for practical purposes) can be achieved, although at a very high cost and considerable inconvenience. Systems handling financial transactions, for example, should have very strong control regardless of cost and inconvenience to the users. The potential payoff to a hacker or thief for these systems is significant, which means the probability someone will attempt to break in is quite high. Similarly, the potential damage to the system owner is significant and thus very expensive security controls are warranted. At the other end of the security spectrum a system containing someone’s home dinner menus has no payoff to a hacker, essentially no damage to the owner, and thus minimal security is justified.
Cloud computing providers have a business incentive to provide strong levels of security to their customers, since their business would be severely damaged if they had customer data exposed or stolen. Thus it appears strong controls are warranted. However, the cloud computing business model is based on providing low-cost computing and storage resources, which automatically eliminates high-cost security models. This leads to a scenario where cloud providers need to provide strong security with minimal cost.
One of the best security controls is not divulging details on the security systems in place. Breaking into systems is far easier if the defensive measures are known. Not providing information costs nothing, so one of the cheapest and best security measures is to simply not provide any information on the security systems. This is the reason why cloud providers are reluctant to do so.
Many customers, however, not only need to ensure good security controls are in place, but they need to know the intimate details of those controls. In the enterprise environment, “proof of security” is as important as actual security. Enterprises are audited regularly and must provide security proof to pass the audits. All public companies must pass annual Sarbanes-Oxley (SOX) audits, and to do so they must provide proof that all their financial data and systems are protected. Companies subject to PCI or HIPAA face even more rigorous audits.
It is a reasonable assumption that cloud providers have good, maybe even great security in place, but until they are willing and able to provide intimate details of that security to customers much enterprise data simply cannot be placed in the cloud. Of course, the action of providing the data lowers the actual security available, and thus becomes partially self-defeating.
