This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Why Cloud Security Is Hard

Security is not free, and moving to the cloud can introduce you to costs and risks you never knew you faced (though you did).

One of the dirty little secrets of the cloud is that security costs money, which offsets the savings that probably motivated moving to the cloud in the first place.

That's one of the conclusions of a terrific deep-dive into the murky waters of cloud security by Scott Fulton, writing at HP I/O.

The first question to ask is: Who is responsible for security when you move some of your processes to the cloud? The answer is a resounding "It depends." The more of the stack the cloud provider takes care of, the more they bear responsibility for security -- so SaaS providers need to have security services as part of the offering. Conversely, the lower down the stack you rent your cloud services, the more you have to worry about the security aspects. If you're renting bare iron and silicon (IaaS), the burden is all on you.

That distinction characterized the {complink 12347|Cloud Security Alliance}'s first stab at defining best practices in the field. The CSA is a worldwide consortium of cloud providers and corporations with major interests in cloud services.

The bright line the CSA initially attempted to draw grows considerably dimmer in the real world of shared resources and multi-tenant cloud solutions. In 2010 the CSA revised its own recommendations, saying: "The multi-tenant architecture of the cloud means that many of the infrastructure services... are shared with other applications. Since these applications will often be from different organizations, the relationship between application and underlying infrastructure changes... These changes should be reflected in a corresponding modification to the application's threat model." We're moving rapidly into the territory of a unique threat model per deployment.

The geographically distributed nature of the cloud muddies the water further. The iron your cloud-hosted process runs on may be located in northern Virginia one minute, London the next, and Russia a moment later. Responsibilities for security, privacy, and lawful government access vary wildly by territory. In the US, courts have treated such questions on a case-by-case basis.

A 2011 study by the Ponemon Institute (PDF available here) set off alarm bells for those contemplating a move to the cloud. The study found that a majority of cloud providers in the US and the EU did not believe security was their responsibility, and did not view security chops as a competitive advantage in their market. On average they spent 10 percent of their budgets on security. The cloud providers believed that the primary reason their customers came to them was to save money.

Security costs money, no matter whether you deal with it inhouse or outsource it. Can a cloud provider do it more cheaply and comprehensively than you can? Possibly; but they can't do it for free.

Some cloud companies are more careful than others to spell out what they handle, what they do not, and how much it will cost their customers. Scott Fulton profiles one provider, {complink 10671|BlueLock LLC}, that makes a competitive advantage of being very clear about these issues with prospects and customers. In these discussions they often need to tread carefully:

BlueLock may lay out a plan for how a client's cloud service will be regularly administered. Just seeing the details of that process spelled out on a chart can be bewildering, and even scary, for some clients... Many are introduced to new categories of administrative, legal, and structural risks which they face right now, in or out of the cloud, that they've never even heard of.

The problem, simply put, is fear... There's a fear of not knowing what's going on inside your systems... But beneath that, there's a deeper fear of finding out. Because then comes the real test of whether you're responsible for the consequences.

I recommend taking the time to read Fulton's cloud security article. It's both deep and entertaining.