CSO Online says they have four examples of "Cloud security in the real world".
I think this one is my favorite:
"We know one of their three data centers have our data; it's not just sent into the cloud and we don't know where the data is," he says.
Ok, that is just scary. The data is not in the big bad amorphous cloud, it is in one of three data centers. That is much more specific. We should trust controls in three data centers?
This seems to me like saying you know your child is staying in one of three cities, not just sent into a country but you don't where. A city can be a very, very large place with many risks. The fact that you know the name of the city that the child is in does not mean it is safer than being inside a country.
In other words, a city could have controls and some secure areas but that does not mean a) the city is safe in general and b) your child stays in the safe areas. Does this analogy work?
A really good example of what I am talking about is in my visualization post from the other day; what's your data altitude? Here is San Francisco:
The point (pun not intended) is that we must to attest to the security of the environment our data lives in. When someone says the data will be in one of three datacenters then those three datacenters will be in scope of an audit. Instead of looking at a neighborhood, or a house, we will now look at security in an entire city. Ouch.
That is a lot of real estate.
Another example in the same article gives a sightly different angle on this elephant:
"Because the rules haven't changed to reflect cloud computing, regulations still require visits to the physical box, and you can't do that in the public cloud," he says. For data that falls under compliance regulations, Kavis plans to use a virtual private cloud. "The vendor will say, "Here's your server, locked in a cage, and if you ever have an audit, you can bring in the auditors to look at it.' We'll use that for passing audits, but everything else will be in the public cloud."
Ah hah! Don't look at three data centers, just look at this one specific area. Smart, sort of.
Let me set aside the fact that this guy is clearly trying to appease the auditor rather than run a secure environment. That reminds me of this Far Side cartoon:
See a problem?
The issue I have here is how upside down and backwards this second example sounds.
I hate to hear people say the rules haven't changed to reflect cloud. Consider that the examples in the article of real world cloud security involve the following concepts: authentication, firewalls, encryption. OMG! Can rules handle such new and different concepts in security? A firewall! What is that? What will auditors do now? When will they catch up to the cloud innovation?
Seriously, though, the hidden issue here is that clouds are still in their infancy and that means they are about sharing, not caring. Their value proposition thus far works through more open access to more resources. This should sound familiar to anyone who used very early operating systems. Security demands controls around data, regardless of where it goes. This also is far from being a new concept.
The rules do not have to change, the cloud has to change to meet the rules.
Clouds simply have not matured to accommodate the usual security requirements. Providers are finally approaching the point where they can handle the fundamentals of delivering primary services – making things actually work.
Security will start to come into better focus after the system is operating. It's like watching the single-user operating system (DOS) evolve into the multi-user operating system called Windows — cloud products should soon start to handle the rules better. Not the other way around…and look how secure Windows is now after years of progress from the early days of sharing data. Am I being too sarcastic?
Sharing is better when there is caring. Let's hope the cloud vendors can soon offer services and products that help them catch up to the rules.