Recently, I was talking to a group of people about cloud computing and its plan for world domination. One of the issues that surprised me is the way people take a binary approach while talking about cloud security. The debate usually goes on with one side making a blanket statement that cloud computing is totally insecure and the other side claiming that it is very secure. In fact, I have been a participant in these kind of debates in the past but I am more enlightened now. There is no size fits all solution when it comes to security. It applies to cloud computing too.

All sides in this debate forget a few important points while letting their emotions run high. Some of them are

• There is no fool proof security in the traditional computing environment either
• We can take most of the stuff from our traditional security toolkit and apply it to the cloud
• We need some rethinking in the way we approach cloud security, especially the public clouds. One aspect is the cloud scale itself and the other is the multi-tenancy
• Cloud Computing is a, relatively, new field and it needs time to mature both in terms of its technological capabilities and in terms of its security. Security always follows any new technological advance with a time lag
• The needs of all people (well, businesses) are not created equal

Having said that, there is one very important aspect which cannot be ignored in any discussions/debates. It is the context. If I wear the Steve Ballmer hat while talking about this topic, I would be dancing on the stage shouting "context, context, context, context, .........". Both sides of the cloud security debate ignore the importance of context and, as a result, the debates has turned into either the cloud is secure or not secure shouting match. It is time for us to move beyond these rhetoric and dig a bit deeper into it.

The approach to cloud security should follow the same approach we take for everything else in our life, from national security to the security of our personal belongings. There is no simplistic binary solution to this problem. In our real life security, we approach them based on context. The same approach is needed while fine tuning our strategy for the clouds. When it comes to national security, there is no one size fits all approach. An interstate highway in a desert will need minimal security with respect to a terrorist attack compared to a bridge in an important city. Similarly, a nuclear power plant will need maximum security compared to both the bridge and the interstate highway. The most important aspect of our approach to national security is the context. We don't use a blanket solution here. The same can be extended to our personal belongings too. We don't keep everything in a bank locker or a fire proof safe. The context is important in our everyday personal security strategy too.

So, any discussion about the security of the clouds should take into account the context to make any sense. The security needs of a local icecream vendor is different from the real estate agency and the bank. Since the needs are different, our evaluation of security should also be different for each case. For example, the hobbyist fiddling around with an EC2 instance might be ok with just its basic security groups, the icecream vendor may need the multi-factor authentication. The paranoid real estate agent might be happy with the Amazon Virtual Private Cloud. But, the local bank would want to have their own private cloud. The needs of every business are different and we need to take them into account while determining whether the cloud security is good enough or not. In the above scenario, the public clouds are perfectly secure for the hobbyist, icecream vendor and the real estate agent but it is just not enough for the local bank. The binary approach taken in the debates on Cloud security ignores these individual needs and, also, the relevant strategies.

The example I have used is very simplistic for the scale of the cloud computing market but it scales well to fit the discussion there. The needs of small businesses are different from the needs of Fortune 1000 companies which itself are different from the needs of Fortune 100 companies dealing with, say, financial data. There is no way we can use the one size fits all approach to the security of these businesses. Context becomes important here. Even within an enterprise, some of the data, not controlled by any regulations, might fit well in the "less" secure environments whereas the data covered by regulations like PCI (financial data) or HIPAA (healthcare data) will require a "very highly" secure environment. The security policies inside an enterprise itself can vary depending on the context of the data being considered.

In short, Cloud Computing is neither the miracle pill that solves all the security problems nor the rabbit hole through which thieves can get in and get out freely. Rather, it is a new technology that has evolved from the technologies of the past, offering a somewhat ubiquitous availability of computing resources. Instead of making a blanket call about whether it can be adapted into the existing workflow of any business or not, it is important to take a closer look to see if it is possible to take advantage of its benefits in certain parts of the business workflow. The context is important in determining if the cloud computing is secure enough for a business or not.