Every day brings more headlines about social networking, cloud computing and Software as a Service (SaaS). Each of these fast growth areas shares an important element in common – they rely on a movement of data from private computers into the public cloud. The theory goes that this data is protected by the service provider who is an expert in their field. But in very few cases is that field data security, and there are important implications that should be considered.
Security Researches call for Google and others to use SSL to protect all of the interactions with their services. I agree that’s a basic minimum that everyone should do, but I think it has to go far further! Many cloud providers simply shrug off the responsibility for security in the fine print – see Amazon EC2 license agreement. It’s often the case that providers are unwilling to describe how they protect customer data and simply say “trust us” – Salesforce.com for example uses lots of buzz words in describing their security, but offer no hard facts that a company could rely on for auditing purposes. Network World argues “...it would be difficult to impossible to achieve PCI in a cloud provided by a service provider ….". In the social networking world the debate over who owns the data uploaded rumbles on.
So let me return to the title - Is “trust us” good enough for private data in the public cloud? Definitely not!
Before private data can really be acceptably safe in the cloud:
- The cloud providers need to start competing on security rather than just price. Right now Cloud Computing is about bang for the buck - how much storage or bandwidth and how many CPU cycles can you get for your money. But as the market evolves, and increased competition tends margins to zero, providers will look to value added services to differentiate themselves. Security will be an important one of those – expect to see contractual promises, penalty clauses and detailed security models available for customer review.
- The IT community needs to find a way to allow the data owner to protect the data themselves and still take advantage of everything the cloud has to offer. If the data is most precious to its owner then we need to empower that owner (individual or company) to be able to protect their own data, while still gaining the benefits that cloud computing has to offer. Expect to see a wave of new products designed to extend the protection we’ve all come to expect (on our home machines, and within the enterprise) out to computers that we use within the cloud. Expect to see cloud providers opening up APIs to allow third parties to fill in the missing elements and drive more customers to their services.
At Trend Micro we call it Security FOR the Cloud. Expect to hear that a lot more in the coming months!