Things can only get better ... provided we take security seriously

So there I was, chatting to a guy who has been implementing security solutions at the large enterprise level for a quarter of a century, when something he said almost made me spill my beer. "Untrusted clouds will make the data security space a better place to do business" he insisted, adding "but it might take a year or two before the paradigm shift in security thinking that we need emerges fully formed".

If you accept that, in far too many instances, current data security thinking often relies upon the traditional herding of data behind a firewall of some kind and then attempting to shoot down any known threat that heads towards it, the paradigm shift argument kind of makes sense.

We have come a long way since applying a kind of Sun Tzu 'know your enemy' mantra to data security was seen as doing enough by some folk. Truth be told it has been a long time since simply identifying the virus/Trojan/malware/hacker signatures was enough to protect anything, mainly because such an approach can only protect you from the enemy you already know.

Sure, there's the heuristic analysis angle to filter in, but experience proves that when faced with an determined and capable foe armed to the teeth with a zero-day exploit and prepared to unleash that most explosive of weapons within an advanced persistent threat scenario then your traditional paradigm will get shot to pieces.

However, all is not lost as far as what The Art of War and Mr Tzu can teach us. Although there is no doubt that knowing your enemy doesn't cut the mustard in a world where almost by definition we are dealing with unknowns much of the time, what Sun Tzu actually said was "know your enemy and know yourself and you can fight a hundred battles without disaster".

It's the latter bit about knowing yourself, or if you prefer your data and the methods by which it is both stored and accessed, that still rings true today. I would suggest that once you 'know yourself' in this sense, the security battlefield itself becomes irrelevant. It matters not wether the fight is being fought in the cloud, on the desktop, in your server room, on your smartphone, wherever. What actually matters, all that actually matters, is the data that is being fought over.

Which is what my sage security friend was getting at. Public clouds are forcing people to reassess what data security means, and focus on protecting the data itself rather than platforms or processes. If this is, indeed, true then it has got be a good thing. Encrypting your data fulfils the knowing yourself requirement, whilst enforcing a principle of least authority covers knowing your enemy quite nicely. This, the argument goes, will become increasingly important at the lower end of the business scale where companies do not have the budget for either a dedicated netsec team or the will to buy in some hired help. The cloud will be a more, not less, secure place for them to operate.

But the 'things will only get better' debate doesn't stop there. The whole 'untrusted = better security' line of thinking is a little hard to come to terms with, but when you start thinking along the lines of "if my data is out of my immediate control, then I had better encrypt it properly to be on the safe side" it starts to gain a bit of clarity.

Anything that can kick the false sense of security experienced by many who should no better into touch is alright with me, and there's certainly been no end of complacency in this regard over recent years.