Tuesday, June 9, 2009

Security in the Cloud
by Gerald Trites

Many companies have gone into cloud computing, and the recession appears to be prompting more to do so. Cloud computing, if you've been on a desert island, means putting applications and data on an internet service and having the administration done by the service provider. It's outsourcing using the internet. Google, Amazon and others are into providing the service.

Of course, everyone knows that putting things like applications and data on the internet is a risky business. True, major advances have been made in recent years in internet security, but there are still risks that need to be addressed.

In the case of cloud computing, people sometimes make the wrong assumptions, and make some of the same mistakes people have made with outsourcing in general. This includes relying too much on the service provider, assuming they are stable and safe to deal with, assuming they will look after security and we don't have to worry about it.

Wrong!

In any outsourcing activity, the company can pass along the work, the administration and the details, but we can't pass along the responsibility. In the end, when things go wrong, it's the company that will pay the price, not necessarily the service provider.

That means when planning security in the cloud, it needs to be approached by the company in full knowledge that it is its responsibility, almost as though the company were implementing all the security itself. That means reviewing security plans and structure, ensuring that the security provided meets the company's objectives, and generally assuming full responsibility for it.

Many companies have not approached it this way, thinking the service provider will look after it. Well, they will, but maybe not to the extent the company needs it. For an interesting summary of the top six mistakes companies make in implementing cloud security, see this article in InformationWeek.

No comments: