Log in

Security: The Scary Part of Cloud Computing

Security: The Scary Part of Cloud Computing

  • Comments 7
  • Thanks Jim for a great summary of my presentation.  I hate to always be the one to scare everyone away from cloud computing because it does pose some great opportunities--especially for smaller organizations.  The main thing is that organizations understand the risks and take the appropriate steps to mitigate the risks--which sometimes is just a matter of educating their staff what they should and shouldn't so with cloud services.

  • While I think the article provides a good rundown of potential issues with cloud solutions, I feel like these conversations are often one sided.  The question of cloud security can't be evaluated in a vacuum.  Instead, it must be compared to the alternative of internally hosting, securing, and supporting similar solutions.

    I've yet to encounter a non-profit with the security staff and focus that most cloud providers have.  Thus, from a systems security perspective, I'd put money that there are far more security vulnerabilities already in place at most nonprofits than at any respectable cloud service.  This is especially more so when you consider that many of the in house hosted services are available through the internet (i.e. Exchange webmail).

    Regarding the potential for a breach of confidential data, I would personally rather be in the position of defending the security practices of a cloud provider meeting numerous annual security audits than have a microscope turned on the internal IT security practices of most non-profits.

    The only security question that makes sense to me when evaluating cloud security in comparison to in house security is the possibility of a vulnerability at the infrastructure level of a cloud service.  For example, a vulnerability on your website due to not patching your CMS could happen the same on a cloud server or your own server.  I'd be interested to hear instances of a cloud infrastructure hack granting access to multiple client systems, but thus far I haven't seen any.

    The real question I see in regards to cloud security centers around reliability (SLAs, disaster recovery, bankruptcy, etc).  While Google's downtime or Amazon's EC2 downtime may speak to the issue of reliability, they don't really say anything about "cloud security" and thus seem a non-sequitur to this discussion.  Also, the discussion of cloud outages shouldn't take place in a vacuum.  I'd be interested in seeing a list of all services at non-profits who internally host systems as a comparison on reliability.

    At my last job, I saw a major non-profit afraid to move to cloud solutions because of "cloud security" FUD and an IT department well versed in the old way of doing things.  It's hard to teach an IT person new tricks, but I strongly believe the cloud is too compelling for non-profits to not start seriously evaluating their options.  

    As Donny said in his comment, none of this means you shouldn't use the cloud.  It just means, as with everything else in IT, you should do your research and plan appropriately.

  • Great discussion. Donnie did good summarizing the risks. The cloud can make good business sense, but sadly, FUD is ultimately where the story stops for some folks because of the misconceptions re: cloud security. "Is cloud computing more secure? Less secure? 100% secure?" I mean, they're legitimate concerns, but without context, questions like these can't be answered upfront with "yes" or "no." By context I mean: what data are we migrating to the cloud? Where is it being stored and how? What equipment are they running on? What's the value of the data and the risks if it got into the wrong hands? Who exactly is handling the organization's data on the other side? Not all cloud vendors handle their security similarly, and not all cloud vendor offerings are made equal. As illustrated by The Register article, even some SaaS services can offset parts of THEIR infrastructure stack to other cloud vendors, so this further throws in more complexity to the "security" issue.

    Good points Jason on in-house security. SaaS vendors will have better resources to harden the security re: data and services provided. And of course, a nonprofit's security policy should also be strong, or at least taken seriously. If a nonprofit's in-house network security ranks poor, applications haven't been patched in ages, the staff has shady computing habits, or password policies are just "whatever,"...  Well, data can still be vulnerable via these other trajectories. A nonprofit's faith invested in a cloud vendor must also be matched by the faith invested in the security policies within their own perimeters.

  • Gosh, I just have to say how informed and interesting the comments are on this by Donny, Jason, and Skylance. it really is an interesting discussion developing here.

  • One of the things stopping many non-profits from making progress in the cloud is a pesky little thing called HIPAA (if your NPO is subject to such things). Within the HIPAA privacy rules is a statement that summarilly states that you need a business agreement with the entities that store your data, ensuring its utmost confidentiality. Of course, finding a mainstream cloud provider that will sign such a liability agreement is not an easy task. And with the high profile breeches that have occurred, many organizations feel that the best approach is to keep their data entirely within their own four walls.

    All of this is not meant to say that I disagree with the cloud approach. And I most certainly acknowlege the fact that security within a typical organization is rarely going to rival that of a well-run cloud. What we are up against is perception much more so than reality. When public perception of cloud security evolves, so too shall adoption.

  • Tim,

    Good point. I just wanted to clarify for folks that HIPAA is the Health Insurance Portability and Accountability Act and it applies to any US entity that handles medical records. Nonprofits that need to store medical records regardless of whether they're onsite or in the cloud need to assure that medical data is HIPAA compliant - which is considerably more complex than garden variety data storage.

    The clearest thing I've found so far on what HIPAA compliance means is at:



  • Great link, Jim. It is one of the more easilly digested summaries I have come across. By the way, I intentionally left out the defininition of HIPAA since if you are not aware at this point it very likely does not apply to you!

TechSoup Default Logo