Security Still an Issue in Cloud Development Projects

At a recent conference, IBM and Amazon executives debated one of the biggest issues around the cloud - the extent to which users can rely on security built into the services of the provider. Amazon made the point that users should recognize that they are moving into a platform with a lot of security already built into it. IBM countered with the point that you can't rely on that - that each user and each applications contains its own needs and issues.

Both are right. There is some security there, but users need to go some steps further in order to make sure the security meets their needs. This might involve obtaining SSAE 16 reports (the old SAS 70), but should probably go further than that and include a through review of the security structure to make sure that it is adequate. That means involving the auditors in the development process - an old saw, but still a true one.

Here's a report on the debate at the conference.