Cloud security? I'm sorry, I haven't a clue...

Opinion Davey Winder Jan 15, 2013

We're a nation of dunces when we come to cloud - and as for our approach to cloud security ...

New research that has landed on my desk would seem to suggest that, as far as the general public is concerned, understanding what the cloud actually is continues to be something of a challenge. Truth be told, I think it's not just the great unwashed; plenty of the IT crowd are equally as confused about the cloud. That confusion only increases, and often spirals out of the realms of sanity, when you add security into the mix.

The research that prompted this particular line of thought came from the direction of hosting outfit Webfusion, and revealed that of the 1000 members of the great British public asked about the cloud within a computing context only 34 percent were happy they really knew what it meant. Some 38 percent simply didn't have a clue what cloud meant - and that doesn't surprise me one little bit.

Just as unsurprising was discovering that pretty much the same number of folk, around 300 in each camp, thought that Gmail, iTunes and Dropbox were either cloud applications or absolutely not. Only 15 percent of those asked were confident that 'scalable hosting across multiple servers' was a cloud service, and I suspect most of those were nerds and the remainder were guessing.

Some 38 percent simply didn't have a clue what cloud meant - and that doesn't surprise me one little bit

I can't help but agree with Thomas Vollrath, CEO of Host Europe Group (the parent company behind Webfusion) when he warned that the results meant that within the consumer space using the term cloud as marketing collateral isn't a brilliant idea. Most users of consumer services "don’t understand the technicalities of what defines a cloud service, and probably care even less. All they want is innovative applications that give a great user experience on a variety of personal devices, and consumer marketers should concentrate on those messages" Vollrath said. And that got me thinking 'What about business?' and 'What about people working within the IT sector?' and 'Does the same apply to dealing with security in the cloud?'

Certainly, given the results of research study after research study across the last two or three years, there is little doubt that business as a whole totally gets the cost benefit of the cloud but totally doesn't get the security implications.

 Actually, that's not quite right: they get that there are security issues which need addressing when migrating into a cloud environment but fail to see the solutions which are staring them in the face. And it is the same confusion, the same misunderstanding of what it is and how it works, which impacts upon the cloud definition that is preventing clarity when it comes to data security issues within the cloud.

The solution is a relatively simple one, on paper: stop thinking in terms of 'cloud security' and continue thinking about 'data security' instead. Sure, as regular readers of Cloud Pro will be well aware, there are a myriad cloud-specific security issues that need to be addressed within particular industry sectors and those cannot be ignored. However, they should not be the main focus of any data security strategy, instead just a branch off the main trunk which remains the same as it has always been: who can access the data, who can see the data, who owns the data. Clearing the mind of all the cloud-related clutter has to be the first step, only then will security be seen in its true colours and only then will business be able to move sensibly and safely into the cloud environment.

Without wishing to blow our collective trumpets too much, Cloud Pro plays an important role here. By educating IT professionals and business folk alike in the ways of the cloud, by getting the truth of the matter out there and stimulating debate within the industry, so the FUD starts to disperse. Of course, Cloud Pro is not alone in banging the educational drum and sometimes good advice comes from the most unlikely of avenues. Taking advice from a lawyer regarding data security in the cloud might be a part of an overall strategy, but I wouldn't usually recommend them as a first port of call. I will, on this occasion, make an exception.

Legal outfit DMH Stallard has just launched a free report called ‘Secure Your Data in the Cloud’ which has the aim of answering questions relating to cloud-based security by getting the opinions of a host of industry experts. Frank Jennings, head of commercial at DMH Stallard wrote the report and says "the answers themselves reveal that data is not inherently more insecure in the cloud than on-premise. According to our experts it is all down to what safeguards there are and the responsibility for this resides with the data owner themselves". Bravo that man, he is spot on the money.

  • The report is a good read, and brings five key lessons to the table:
  • Keeping data secure is not so much about whether it is on-premise or in the cloud as it is about putting in place proper safeguards
  • You should classify your data according to importance and adopt security measures accordingly
  • Undertake diligence on your providers. Make sure they have a good reputation, have achieved recognised accreditations and have addressed security to your satisfaction
  • Don’t just look after the technology. Remember security is about people too
  • Take practical steps to protect your data and then cover this off in the contracts with customers, staff and suppliers.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.