Recently, I was talking to a group of people about cloud computing and
its plan for world domination. One of the issues that surprised me is
the way people take a binary approach while talking about cloud
security. The debate usually goes on with one side making a blanket
statement that cloud computing is totally insecure and the other side
claiming that it is very secure. In fact, I have been a participant in
these kind of debates in the past but I am more enlightened now. There
is no size fits all solution when it comes to security. It applies to
cloud computing too.
All sides in this debate forget a few important points while letting their emotions run high. Some of them are
- There is no fool proof security in the traditional computing environment either
- We can take most of the stuff from our traditional security toolkit and apply it to the cloud
- We need some rethinking in the way we approach cloud
security, especially the public clouds. One aspect is the cloud scale
itself and the other is the multi-tenancy - Cloud Computing is a, relatively, new field and it needs
time to mature both in terms of its technological capabilities and in
terms of its security. Security always follows any new technological
advance with a time lag - The needs of all people (well, businesses) are not created equal
Having said that, there is one very important aspect which cannot be
ignored in any discussions/debates. It is the context. If I wear the
Steve Ballmer hat while talking about this topic, I would be dancing on
the stage shouting “context, context, context, context, ………”.
Both sides of the cloud security debate ignore the importance of
context and, as a result, the debates has turned into either the cloud
is secure or not secure shouting match. It is time for us to move
beyond these rhetoric and dig a bit deeper into it.
The approach to cloud security should follow the same approach we take
for everything else in our life, from national security to the security
of our personal belongings. There is no simplistic binary solution to
this problem. In our real life security, we approach them based on
context. The same approach is needed while fine tuning our strategy for
the clouds. When it comes to national security, there is no one size
fits all approach. An interstate highway in a desert will need minimal
security with respect to a terrorist attack compared to a bridge in an
important city. Similarly, a nuclear power plant will need maximum
security compared to both the bridge and the interstate highway. The
most important aspect of our approach to national security is the
context. We don’t use a blanket solution here. The same can be extended
to our personal belongings too. We don’t keep everything in a bank
locker or a fire proof safe. The context is important in our everyday
personal security strategy too.
So, any discussion about the security of the clouds should take into
account the context to make any sense. The security needs of a local
icecream vendor is different from the real estate agency and the bank.
Since the needs are different, our evaluation of security should also
be different for each case. For example, the hobbyist fiddling around
with an EC2 instance might be ok with just its basic security groups,
the icecream vendor may need the multi-factor authentication. The paranoid real estate agent might be happy with the Amazon Virtual Private Cloud.
But, the local bank would want to have their own private cloud. The
needs of every business are different and we need to take them into
account while determining whether the cloud security is good enough or
not. In the above scenario, the public clouds are perfectly secure for
the hobbyist, icecream vendor and the real estate agent but it is just
not enough for the local bank. The binary approach taken in the debates
on Cloud security ignores these individual needs and, also, the
relevant strategies.
The example I have used is very simplistic for the scale of the cloud
computing market but it scales well to fit the discussion there. The
needs of small businesses are different from the needs of Fortune 1000
companies which itself are different from the needs of Fortune 100
companies dealing with, say, financial data. There is no way we can use
the one size fits all approach to the security of these businesses.
Context becomes important here. Even within an enterprise, some of the
data, not controlled by any regulations, might fit well in the “less”
secure environments whereas the data covered by regulations like PCI
(financial data) or HIPAA (healthcare data) will require a “very
highly” secure environment. The security policies inside an enterprise
itself can vary depending on the context of the data being considered.
In short, Cloud Computing is neither the miracle pill that solves all
the security problems nor the rabbit hole through which thieves can get
in and get out freely. Rather, it is a new technology that has evolved
from the technologies of the past, offering a somewhat ubiquitous
availability of computing resources. Instead of making a blanket call
about whether it can be adapted into the existing workflow of any
business or not, it is important to take a closer look to see if it is
possible to take advantage of its benefits in certain parts of the
business workflow. The context is important in determining if the cloud
computing is secure enough for a business or not.
