Cloud Security 0.2
The security aspects of cloud computing
In the history of information technology, a number of themes continue to repeat themselves. Not least the idea that computer power should be delivered as a service - back in the 1970’s organisations used computer bureaus for their processing needs, and over the years we’ve seen the same principle delivered in various guises.
At the turn of the new century, ‘utility computing’ was the phrase being used - comparing IT delivery to that of electricity or water. Security was seen as a fundamental element: “Data should arrive like water from taps - already clean,” as one executive was heard to say.
Today we talk about cloud computing. The experts aren’t wrong when they say there is nothing new in principle - perhaps the biggest change is in the fact that today’s computers are now powerful enough to run multiple virtual machines, adding a level of flexibility that wasn’t possible in the past outside the traditionally more expensive world of the mainframe.
All the same, the principle - the aspiration - is much the same as it always was. Not only to benefit from the cost efficiencies that multi-tenancy should bring, but also to reduce the risks associated with IT service delivery. It’s worth reflecting on the “utility” nature of cloud computing, and considering what comparisons can be made with other utility services with regard to security. Put simply, we can consider cloud computing security in terms of processing and delivery.
From a processing standpoint, we are essentially outsourcing our computing activity to third parties and as such, we need to trust them to succeed on our behalf. That is - not to lose or damage our data; not to break down, slow down or otherwise fail; and not to respond appropriately in the case of external threat, be it malicious, unintended or natural causes.
While many providers take such responsibilities very seriously indeed, not all do, and for good reasons organisations have been reluctant to hand over their data to cloud-based service providers. Understandable - and a symptom of just how early in the process we are towards using the cloud for mission-critical data.
Meanwhile, we have delivery. Utilities incorporate treatment plants, filters and other protection mechanisms to ensure that the water we drink is as clean as it can be, and electricity suffers from a minimum of spikes.
Data can also be treated in the same way - not least in terms of protection against spam, spyware and other content-related threats. Just as consumers and businesses would not be expected to treat their own water, neither does it make sense to protect against all kinds of threat in-house.
It’s not just a question of scalability, nor the fact that the best place to deal with such things is before they reach the organisational boundary. In addition, many companies, particularly smaller ones lack both the skills and the resources to monitor against what is an increasingly complex threat landscape.
The principles behind cloud computing may have been with us for many decades, and it may be many more years before the aspiration of delivering IT completely as a service becomes a reality. In the meantime, it is worth looking for specific places where cloud computing can take the strain. Not least in security which is an essential element of any cloud computing strategy, whether in terms of processing or delivery.