Mike Kavis on Cloud Computing
(No Ratings Yet)
Loading ...Mike Kavis, aka madgreek65, did an interesting 7-minute video blog on the topic of cloud computing where he explains his view of it as well as explaining the risks. He then followed up with a blog post on The future is in the Clouds.
In the video blog, Mike tried to explain why customers shouldn’t have to worry about the loss of data control and security. First of all, as Mike said, “these companies invested in billions of dollars in infrastructures and security and have armies of security professionals.” Therefore, these companies will have greater control and better governance and do a much better job at protecting customers’ data than they can. Second, since “most security breaches are inside jobs”, cloud computing will “greatly reduce the risk” of such breaches. Even though there will still be some, but the risks are reduced. Third, companies are already putting their data out there, including payroll, accounting, CRM. Since this is already being done, we just need to “shift the way we think” because “this is the wave of the future” and it’s the “next game changer.”
I have to disagree on all three points. First, not all “cloud computing” companies that have sprung up can and will invest billions of dollars in infrastructure and security. If you just look at Amazon or Google, yes, maybe. However, there are plenty of cloud computing startups that have no such budget and they have the same problems as every startup when it comes to deciding whether to invest in infrastructure or security (i.e., infrastructure wins, security loses.) So a blanket statement like that doesn’t make any sense. Even in the case of Amazon and Google, just because they can have more security professionals, it doesn’t mean customers should just trust them and not worry about security and data privacy.
Second, on the topic of insider breaches, just because the data is now in the cloud, it does not reduce the risk of insider breaches. Insiders still have access to the data, they are just accessing it a different way. Just because the data is in the cloud, the responsibility of segregation of duties and access authorization still fall on the customers, not the SaaS or cloud computing providers. So yes, it may reduce the chance of insiders getting direct access to, say, a database, it does not in any way reduce the risk of insider breaches. In fact, I will argue that it may even increase the possibility as you now have to take into consideration of the cloud or SaaS providers’ employees. They have access to a lot more information and a single incident could expose information from many customers.
Third, the argument that because companies are doing it already and are already putting their payroll, account, and CRM information in the cloud, customers should just shift the way they think also doesn’t sit well with me. Just because others are doing it doesn’t mean it’s the right thing to do. Customers shouldn’t just throw away their security policies and adopt a new way without evaluating the risks.
So am I advocating companies not to adopt cloud computing and SaaS? Absolutely not. What I am advocating is that companies evaluate the potential risks and understand the business impacts before jumping into the “wave of the future.” Don’t just trust the cloud or SaaS providers to take care of security. At the end of the day, it’s the customer, not the providers, that’s signing off on the SOX report and go to jail (or fined) if the audits fail.
I am working on a series on “Tough security questions for SaaS providers“. It should serve as a good set of questions to ask when evaluating cloud or SaaS providers.
Loading ...
June 15th, 2008 at 11:42 pm
You are confusing cloud computing with PaaS. Just because a company offers services in the cloud does not mean they have the level of security and investment I was talking about. I was referring to the Platform as a Service vendors like Google, Amazon, and SalesForce.com. These companies have massive data centers across the globe and World class infrastructure and security.
June 18th, 2008 at 4:39 am
Hi Mike,
Thanks for the comment.
In my view, which is consistent with one of the better definitions out there by RightScale, is that cloud computing has three levels: infrastructure in the cloud, platform in the cloud and applications in the cloud. So all three are considered to be cloud computing. So I don’t believe I am confusing cloud computing and PaaS. PaaS is just one form of cloud computing.
My point is simply that we shouldn’t take security for granted just because it’s it’s Google, Amazon or SalesForce. We should continue to be vigilant about it and understand how these companies can protect your data. Chris Hoff has a fairly good blog post on this specific topic.
Btw, the security issue is not just a PaaS provider issue. The same questions should be asked of IaaS, PaaS, or SaaS providers.
Thanks
June 18th, 2008 at 1:19 pm
Fair enough. When I talked about security in my vlog, I was referring to the PaaS providers. I am not saying that they are without issues, but for most companies (especially small & medium size companies), they will have infrastructure and security that is far superior to what these companies are able to invest in. The reason is because it is their core competency. For example, my company is a medium size company and we only have two people in our security department. We don’t have the people and the budget to build the level of security that the PaaS provides have to build.
That was my point. My point was not “Trust the Cloud”. The PaaS providers still have a way to go to mature their technologies. This is evident with the recent outages of Amazon and Google (just yesterday). But a few years from now, this will be the normal way of computing. First the non mission critical apps will start moving over. Once the PaaS providers prove that they are indeed stable, secure, and reliable, the other apps will follow. This will take between 5-10 years before this is mainstream (IMO) but its coming.
Thanks for the feedback. Cheers!