Having attended a number of conferences this year the big talking point has been without any doubt the area of "cloud computing".  Every vendor seems to be selling some solution based on the cloud computing premise.  Business people are getting excited about "cloud computing" because they see it as a means to unshackle themselves from their corporate IT systems which they deem to be out of line with their requirements.  While CIOs are looking at "cloud computing" as a means to stretch their budgets further.

But the more I hear about this topic the more confusion and misinformation I am finding.  One example was at this year's Infosecurity Europe event.  I was standing beside a vendor stand who provided a filtered email service.  I overheard the sales person attempting numerous times to explain to a visitor to the stand how the service worked.  However, after numerous attempts to explain how diverting email through their service would filter out spam and viruses the visitor to the stand was still no wiser.  In desperation the sales person simply said "Actually, we use the cloud to clean your email".  This brought a smile to the visitor's face and resulted in the vendor getting an order.

As an Irishman I see too many clouds in our summer skies that eventually bring rain.  So clouds to me are not necessarily a good thing, they block out the sun and can bring rain.  Rain in small doses is to be welcomed but as we have seen recently too much cloud brings too much rain with disastrous results.  So it is not to be unexpected that I treat the whole cloud computing issue with a touch of skepticism.  The above example being one that highlights said skepticism.  So my worry is that we have a rush of people putting data and services in the cloud without really understanding what the issues are and indeed how to ensure the security of those systems. 

I agree that cloud computing can bring many benefits and efficiencies, but I argue that we need to ensure security issues are thought out at the beginning rather than at the end.  Have we not learnt from past experiences with other technologies that adding security as an after thought often ends up costing us a lot more than we first thought?

I am happy to see that a number of excellent publications are now available to help you move to the cloud in a secure fashion;

• ENISA has published their report on Cloud Security.  I have quickly read it and as usual ENISA provide some very useful guidance.  In particular it being published by ENISA it covers a lot of the issues relevent to organisations within the EU.
• Another useful resource is the Guidance for Critical Areas of Focus in Cloud Computing published by the Cloud Security Alliance.
• ISACA has also published their whitepaper  Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.

If you are looking into moving any of your services or data into the cloud then I recommend you read the above papers and for additional insight into the complex world of cloud computing the Cloud Computer Security and Rational Suvivability blogs are excellent resources.

Delicious

Digg

Reddit

Facebook

StumbleUpon