Security is a big buzz issue when it comes to discussions on cloud computing.  Is it right for you?  What are your security concerns?  Is it truly more secure than traditional private computing, or is it merely the illusion of security?

A lot really depends on the organization. For some places, with no backup or security in place, a decent cloud provider is going to be better, hands down.  A place with decent, although definitely not perfect, security in place? That's a very different issue, and it can be hard to say which is more secure.

One issue that tends to get dismissed is what happens when the host is served with a search warrant of some sort?  So far, things have not gone well for "tenants", both in practice and in case law.

First I think we can all agree that all companies should have data security, right? Back ups also, but moving your service to the cloud provider doesn't guarantee your data is secure, right? What if your dat consists of SSNs or credit card information or even worse have to be HIPAA compliant. All is great as long as that data stays on the server in house or at the hosting company, but as soon as it is sent to the internet it is no longer secure unless it is sent using some sort of security.

I can see how a cloud provider is assumed to have better security and back up servers all the time and have the staff to maintain all of it 24/7, The question is, is CLOUD COMPUTING more secure than in house?

Well, there are ways to increase the security of the data you are sendig, such as using encryption or ssl. Is it sufficient for HIPAA compliance? I don't know, but I would think that is should be acceptable for more "routine" issues. It is important to remember, it's not just HIPAA that requires certain levels of security and/or privacy, so this is a broader question than many realize.

So what I am learning is Cloud Computing is not more sercure or sercure at all since we are talking about hosted services not includeing websites. The only way to secure your data transfers are to have a process and hardware in house to secure your data.

I would say that cloud computing is not necessarily more secure, or even secure at all. Some cloud computing solutions are fairly secure, others - not so much.

I remember talking to multiple vendors when the cloud computing thing started becoming a bit of a vogue - only they were called ASPs then. I've had all sorts of responses when I asked about various security and privacy related issues. Some either don't HAVE any consistent policies in at least on critical areas, or won't disclose them. I've had vendors who essentially told us to trust them - one actually said "We'll you would have to trust us" when I asked him how I could have any assurance that their staff is not looking at our confidential data. Another told me that their security and backup plans were "confidential information." Others, on the other hand, do have solid plans, ans are willing to share at least enough information to allow people to draw reasonable conclusions.

One thing is for sure - the assumption that a "big" company would surely have the right processes and procedures, including appropriate backups and customer communications, in place, is clearly unwarranted. Sidekick may have been a consumer service, but it was "big" enough that one should have expected somethign much better from them/ 

Earlier this year, TechSoup's Lead Tech Analyst and security guru, Kevin Lo attended RSA 2009 (a big tech industry security conference) where cloud computing was a hot topic of debate.

He blogged about it here, but I think the consensus is that the jury is still out on this one. Like someone else stated, it can provide a lot more security for a smaller organization with no in-house servers or backup systems and probably end up being a lot less secure for an organization with in-house IT staff and resources to manage IT.

Here's a quote from his post about a presentation he attended:

The presenters from RSA and Sun Microsystems argued that due to a variety of factors, large enterprises are ill-advised to, or at least shouldn't be, using public clouds for their infrastructure or applications. At the same time, they believe that although software-as-a-service (SaaS) is likely to be a step down in terms of security for large enterprises, it may be a step up for small and medium businesses.

I should start by saying I am NOT a fan of cloud service in general, you are at the service providers mercy and you've got all your eggs in one basket.  Individual services, yes. i.e. online backup services, hosted email. The path to get a good cloud service in place is to complex for non IT educated users. The typical help desk/ Network guru isn't going to understand everything needed either. You'll need a qualified security expert and its a whole different field. As the author says you need to know what to ask and you also need to understand IT security.

When selecting a service provider, if you don't have the in house expertise to address each of the items listed as threats, selecting a service provider will be tough. You'll need an expert and they won't be able to give you an educated answer until they know everything there is to know about your organization.

Cloud security will never be as secure as an internal network simply because it includes all of the risk of an internal network plus the cloud (Internet and service provider).

Make sure you understand the complete cost of cloud service, What its going to cost to operate, what its going to cost to migrate to a cloud service, training for the users and what an Internet iterruption is going to cost. Reliable 24 X 7 connections are available but they cost 4 times as much..

I think from a practical standpoint cloud services are indeed much more secure for small non-profits. Most of them can't afford proper IT infrastructure and services which are critical for ongoing security - and cloud providers do maintain security of their system, patch servers etc.

Good point, ChiefApricot! On the flip side too, security is definitely one of the biggest considerations--and potential downsides--of cloud computing (since it's managed by the cloud and not an organization's own security infrastructure/policies). If security is a big issue and you are a large enough org. that can provide adequate internal security, the cloud for some functions might not be as optimal.

I'd love to get feedback from many of you on newly updated cloud computing landing page. It includes a few resources on security and the cloud and we'd love any feedback as to how we can improve this page and make it more useful.

Best,

Megan