Article Options

Are applications & services deployed to the public cloud secure?

Wh1t3Rabbit| August 8, 2012 - last edited August 20, 2012
1 Comments

I feel the need to write this only because I've had to address it no less than a half-dozen times in the last 2 days, so one more time ... "Is an application or service deployed to the public cloud secure, or not?" ... the answer is yes, and no.

 

It appears as though the 'public cloud security" debate has turned into the same discussion we had back in the late 90's, early 2000's about "Is Windows secure?".  The answer isn't simple.  There are lots of mitigating factors here... My position is that any application or service that was built to be secured independently of the environment will do just as well (or better) in a public cloud as it did living in your private data center.  That being said, most organizations I've had the pleasure of sitting down with up 'till now are not there when it comes to security architecture and building security into the application or service.

 

Allow me to give you a much simpler analogy.

 

Asking similarly: "Is your car secure against theft?"

 

Obviously, there are a significant amount of mitigating factors.  Most applications, if they were cars, would have the windows rolled down, doors unlocked and the key 'hidden away' in the arm rest or glove box.  This is why we have to build big perimeter defenses around them, with an electric fence, fancy high-security building and armed guards patrolling the property.

 

The application that is designed like a locked vehicle, with the keys far enough away so that the thief can't just reach in and drive away will display a similar risk profile in a public parking lot that you do not control as if it was in your garage.

 

Now, putting cars aside you have to ask yourself this question - "Have I architected this application or service to be secure and resilient to the level of risk that is inherent to it?"  If the answer is no, then public cloud is not for you.  Actually, your own defenses will probably be expensive and inadequate as well when it comes to protecting that application or service ... it's just that you'll have the illusion of control, whereas in the public cloud - you simply don't.

 

Before you yell that I've over-simplified it, I'm aware there are things missing here ... but overall I'll stand by the analogy, and I believe the end-result is sound.  If you build the application/service to be low-risk independent of your environmental controls (that is, you secure at the architecture, code, access, and data levels) you shouldn't have to worry where it lives.

HPblogfooter.jpg

Labels: cloud computing| cloud security| public cloud
Labels:
Comments
secolive(anon) | ‎08-09-2012 09:02 AM
Options

In reality, the problem with this question, or any question of the form "is XY secure?" is that it is lame. There is no good answer to such a question because there is no such binary thing as "secure". Hence, in each and every case, we find ourselves explaining that security is a continuum and that many factors have to be considered. Or better yet, restate the question as it really matters to the guy who was asking, such as "does it pose a real security problem to deploy this application to the cloud instead of locally?"

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Twitter Stream
Follow Us
Community Announcements
50 Must Read IT Blogs