Three quarters of UK CIOs see security as being the major barrier to cloud adoption and yet if you take a look at the Wikipedia (I know, I know) entry on cloud computing, “Security” is listed as one of the Key Characteristics of cloud-based services, how can this be?
One of the reasons for this apparent contradiction must surely lie with the language itself, and not the technology. We already know that the term “cloud” when applied to technology has a different meaning to everyone who uses it and everyone who hears it. Hell, the term “cloud” when applied to clouds has a multitude of possibilities! The truth is though the same is true of the term “security”.
If you talk to a sysadmin, a network admin, a coder, a hacker, a security guard, a facilities manager or a three star general about security then once again they will each have their own understanding of the definition, the aims and the means of achieving that elusive “security”. If you ask a C-level executive what security means, especially in the context of cloud, then they will have a different understanding again.
To an executive, security is all about control and accountability. Data and the management of data are the asset and the task that are currently mostly considered for delegation to cloud providers. Today’s legislation places a burden and corresponding sanctions on corporate executives to ensure that the data which they hold is stored and processed in a secure manner. Future legislation promises to extend this burden of accountability and the penalties for non-compliance can be severe, stretching, if you’ll pardon the pun, to even to jail-time.
When your most precious assets are tucked up tight in your own data centre, handled by your own employees on physical systems that you can secure discretely then creating an audit trail and accountability is far simpler. The control remains with the data owner. In the cloud environment as it currently stands, much of this control is outsourced, but none of the accountability.
Virtualisation, multi-tenancy and storage area-networks are the technological engines powering cloud services. The rapid provisioning of virtual machines across highly-scalable, highly available infrastructure gives cloud providers the economic advantage that is their business promise. Cloud customers need to be secure in the knowledge that they retain control over the secure perimeter of their virtual machine and that it is not dependent on any configuration at the provider end. Cloud customers need to know that their data is sufficiently encrypted in the SAN that it cannot be accessed or used by anyone other than those who hold the keys and that the keys are not held by the cloud provider.
In order to increase the acceptability of cloud to the enterprise executive, we need to design tools that ensure control over the security of key underlying technologies. It is only when a CIO has control that they can reasonably be expected to accept accountability.