When Peter Pan is trying to convince Wendy to fly, he tells her all she needs is “Faith, trust, and a little Pixie dust.” Which, to be fair, appeared to work for the lost boys. In this piece published here on Infosecurity, it sounds a bit like Microsoft is advancing the same approach to cloud security.
Microsoft’s Steve Lipner does make some good points, especially about the trade-offs of security and cost, and the need to be very careful in selecting cloud providers. However, to suggest that Cloud could help improve security seems, well, a little optimistic.
Sure, it could. The question, however, that you need to answer is: would it?
Yes, patching might happen faster, but let’s be honest here. Isn’t part of the value proposition of cloud that the infrastructure is transparent? Things might be run more securely by your vendor of choice, but let’s say I’m the kind of curmudgeon that thinks maybe they won’t be. How would I know? How do I know that you’re keeping my data on systems that are fully patched and configured to the very latest best practices?
Of course, I could take your word for it, Mr. Cloud Vendor. I could demand audits and reports and pounds of flesh. In fact, I could ask for all the things that I normally expect from my own organization. Remind me again why switching to the cloud is going to make any of this better?
The problem here is that, basically, I have to hope that the cloud vendor is going to do a better job at keeping systems secure (and managing the people who have access to them) than I am, if I’m to believe that I’m going to see security gains in the cloud.
Cloud as a model offers all kinds of opportunities for all kinds of organizations. Faster access to scalable computing resources, simpler administration, more flexibility than I can shake a stick at. But to suggest that a side benefit is that it makes systems – overall – more secure, is beyond even the power of pixie dust to suspend my disbelief.