I had a great talk with Fred Donovan this week regarding cloud security.
It's pretty clear that organizations of all kinds are very concerned about the risks (and the cost of those risks) when moving to adopt cloud services. It's also fair to say that the cloud providers are working diligently to address those concerns – indeed their very survival may well depend on their ability to soothe the fears of prospective customers.
One of the interesting things that I think has to happen, however, is a realization on the part of the cloud providers, however well intentioned, that they cannot solve the entire security problem for their customers. And conversely, the acceptance of that fact by those customers too. Does this mean that security is irrelevant for cloud providers? Clearly not. But at some point we're all going to have to understand that outsourcing of management doesn't mean outsourcing of responsibility – and that's a good thing.
Let's look at encryption, for example (a subject close to my own heart.)
A lot of cloud providers, of all kinds, are already providing encryption as part of their offering. And they should. But ultimately we're going to need encryption that is managed and owned not by the provider but by the organization itself.
Encryption provides a highly effective way to protection information (assuming you get a few basics right) but all encryption stands or falls on the ability to manage the keys securely. And therein lies the problem. If the keys are owned by the cloud provider, then as a business I have far less control over the security of that information than if I manage those keys myself.
As Jonathan Penn from Forrester said recently about encryption:
...one of the best ways to secure corporate data in the cloud, but “it has to be encryption that the company controls.”
If, as a business, I maintain control of encryption keys in the cloud, then not only do I have better capability to enforce protection of sensitive information, but it's far simpler to prove compliance with the various legislative and industry mandates, and I actually inoculate my organization from a number of risks that are specific to any given cloud provider.
Concerned that the provider will suffer a breach? If the data is encrypted and I have the keys, my information is at far lower risk of exposure than if those keys are stored on site. Worried about an insider? No keys means no access, regardless of how privileged the insider might be. Want to avoid vendor lock-in? If the information stored on a provider's systems is useless without the keys I already own, then I have far less to worry about if I take my business elsewhere in the future.
While availability and performance are still going to be concerns, so much of what is really holding organizations back really devolves to a core, data security problem. If we can get the management of data encryption right – that is, it's fast, simple, flexible and transparent, then a lot of that concern goes away. And if that happens, everyone wins, consumers, businesses and yes, cloud providers too.