Public cloud? Not safe for work or believable contender?

Opinion Davey Winder Nov 23, 2012

Public cloud providers are keen to boast their security credentials but can they be trusted asks Davey Winder

Usually if you see a link preceded by the acronym NSFW it's a heads up that the content you will be landing upon is Not Safe For Work. As far as I'm concerned, any public cloud service should surely carry the same warning - although I expect there will be plenty of people who disagree with me.

But I am not alone if the research statistics out there are anything to go by: one central London co-location data centre, City Lifeline, found that 63 percent of business customers opt for a private cloud and 87 percent agree that private is safer than public in cloud data security terms.

Roger Keenan, the City Lifeline MD, insists that "both public and private Cloud have merits, but security should not be a concern with either if you are working with a reputable provider".Try telling that to Joe Schmo the man with his finger on the IT budget out there in enterprise land. 

63 percent of business customers opt for a private cloud and 87 percent agree that private is safer than public in cloud data security terms

Last month, another survey, this time by database security outfit GreenSQL, revealed that a whopping 81 percent of IT professionals have security concerns about moving data into the cloud. 31 percent didn't trust the level of security in cloud services, 28 percent were worried they couldn't control their data in the cloud and 19 percent insisted that cloud services are just not mature enough as of yet. Although the GreenSQL CEO, Amir Sadeh, is right when he states that "the cloud is still a new, uncharted territory for many, and trusting data to the cloud borders on an act of faith”, I cannot help but think it would be less a leap of faith, and that the 'security need not be a concern' argument would hold more water if there was more of a perception separation between public and private clouds.

I'm well aware that many people put forward the argument that the public cloud isn't insecure - although closer inspection reveals that most of these have some kind of security product to sell. There do seem to be a lot of caveats attached to public cloud offerings.   I'm not saying, for one cotton-picking minute, that the same does not apply to any cloud infrastructure, any cloud service provision; of course you always have to build security into your data migration and service provision strategy. However, some clouds are more secure than others from the get-go.

If you run with the generally accepted notion that data separation is a key factor: that your virtual machines and your data need to be isolated from those of other companies in order to be starting from a solid security base, then the public cloud has already failed the test. No?

The clue is in the words public and private, it's not rocket science is it? Although it is quite possible to segregate tenants within any cloud, mitigating the risk of 'breach leakage' should one tenant get hacked, it's a whole lot easier to ensure when you operate your own private cloud infrastructure. I do worry whether public clouds are built with security at the top of the design features primary layer check list.

I've noticed a couple of ways that operators of public cloud providers - or multi-tenant cloud service providers if you prefer the longer mouthful, get around the perceived insecurity issue in order to tempt business through the door. One is to say 'we're not really a public service because we don't accept online sign-ups from anyone with a credit card, we only take established enterprises as clients' which is as big a crock of the security brown stuff that I've seen in a long time.

The immediate knee jerk response to anyone churning out this crock is to walk away, if you have more patience than me you might try asking what exactly the provider does to secure you and your data against other tenants but don't expect a meaningful answer. The other get-out clause is to insist that security at the provider end has improved of late, and can show you audits and certifications to prove it. What I say to that is "certifications, cerschmitications". There are some excellent public cloud providers with a good track record but no matter what they say, I will continue to believe that an application in a public cloud is likely to be less secure than one in a private cloud. Of course, you can mitigate against the added risk by increasing internal security, but I will still believe that public clouds and the applications within them are not inherently safe places for work. 

I appreciate it's not black and white: that the nature of your data, the nature of your business, and the nature of the regulatory structure that surrounds them will have an impact on the cloud providers you use. And I certainly appreciate that this is a personal view - one that will not sit well with everyone - and that companies will always be happy to make the compromise between security and convenience and cost. However, as far as I'm concerned, a private cloud, that lives within your own firewall and is customised to your own security needs, has to be the sensible choice every time.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.