Mike Kavis, aka madgreek65, did an interesting 7-minute video blog on the topic of cloud computing where he explains his view of it as well as explaining the risks. He then followed up with a blog post on The future is in the Clouds.
In the video blog, Mike tried to explain why customers shouldn’t have to worry about the loss of data control and security. First of all, as Mike said, “these companies invested in billions of dollars in infrastructures and security and have armies of security professionals.” Therefore, these companies will have greater control and better governance and do a much better job at protecting customers’ data than they can. Second, since “most security breaches are inside jobs”, cloud computing will “greatly reduce the risk” of such breaches. Even though there will still be some, but the risks are reduced. Third, companies are already putting their data out there, including payroll, accounting, CRM. Since this is already being done, we just need to “shift the way we think” because “this is the wave of the future” and it’s the “next game changer.”
I have to disagree on all three points. First, not all “cloud computing” companies that have sprung up can and will invest billions of dollars in infrastructure and security. If you just look at Amazon or Google, yes, maybe. However, there are plenty of cloud computing startups that have no such budget and they have the same problems as every startup when it comes to deciding whether to invest in infrastructure or security (i.e., infrastructure wins, security loses.) So a blanket statement like that doesn’t make any sense. Even in the case of Amazon and Google, just because they can have more security professionals, it doesn’t mean customers should just trust them and not worry about security and data privacy.
Second, on the topic of insider breaches, just because the data is now in the cloud, it does not reduce the risk of insider breaches. Insiders still have access to the data, they are just accessing it a different way. Just because the data is in the cloud, the responsibility of segregation of duties and access authorization still fall on the customers, not the SaaS or cloud computing providers. So yes, it may reduce the chance of insiders getting direct access to, say, a database, it does not in any way reduce the risk of insider breaches. In fact, I will argue that it may even increase the possibility as you now have to take into consideration of the cloud or SaaS providers’ employees. They have access to a lot more information and a single incident could expose information from many customers.
Third, the argument that because companies are doing it already and are already putting their payroll, account, and CRM information in the cloud, customers should just shift the way they think also doesn’t sit well with me. Just because others are doing it doesn’t mean it’s the right thing to do. Customers shouldn’t just throw away their security policies and adopt a new way without evaluating the risks.
So am I advocating companies not to adopt cloud computing and SaaS? Absolutely not. What I am advocating is that companies evaluate the potential risks and understand the business impacts before jumping into the “wave of the future.” Don’t just trust the cloud or SaaS providers to take care of security. At the end of the day, it’s the customer, not the providers, that’s signing off on the SOX report and go to jail (or fined) if the audits fail.
I am working on a series on “Tough security questions for SaaS providers“. It should serve as a good set of questions to ask when evaluating cloud or SaaS providers.
