I clearly remember being a kid and scared there was a monster in my closet. I was pretty young, and all it took was my Mom wrapping a can of Right Guard in a “Monster Spray” label to allay my fears. My kids tend to get scared by stuff they can’t see as well, and movies like Monsters, Inc. haven’t done much to dispel the fear in today’s generation. When I went to sleepover camp, there were the stories of Cropsey to terrorize new campers, and the chain goes on and on. We continue to be scared by the stuff we don’t understand.
It looks like the cloud falls into the same boat, as shown by the latest survey by Kelton Research sponsored by Avanade. No, I hadn’t heard of either of these shops either. But all the same, 25% say they’ve had a security breach with a cloud service and 20% are moving back to traditional on-premise apps. There, my friends, is the bogeyman, in full effect.
Since we built the CCSK curriculum, your friends at Securosis have become immersed in many things relating to securing cloud infrastructure. In fact, Rich and Adrian will be teaching the course this week in San Jose to a packed house. We are also training the first set of instructors for the course, so expect to see it offered near you very soon. Which is a great thing, given our collective fear of the unknown.
So here is the dark little secret of cloud security. It’s different, but not that different from securing your traditional environment. The reality is that most folks suck at security, and moving applications & infrastructure to the cloud is not going miraculously make them any better at it. If you are good at security on-premise, you’ll likely be pretty good when you move stuff to the cloud. That doesn’t mean you will automagically understand how all the pieces fit together, but the fundamentals are largely the same. There really are additional moving pieces, of course, and depending on where in the SPI stack you stake your cloud tent, you’ll need to think about more heavily instrumenting your applications for security and logging/monitoring. Identity changes a bit as well. And never forget that the entire environment (especially private cloud) remains immature and overly complicated.
But since FUD (especially the Fear) is such a powerful motivator for buying security widgets you may or may not need, we’ll see lots of questions about how secure the cloud is. We’ll see plenty of Chicken Little behavior to convince you the cloud is not safe – unless you use this cloud security widget, of course.
But – just as I tell my kids– if you are scared of something you need to understand it. It very well may warrant fear or terror. But until you understand what you are talking about your fear is not justified. So get educated on cloud stuff. Go take the course. Ask questions, focus on educating yourself and your organization, and then figure out how and how much cloud computing makes sense for you. Just don’t give into the fear of the unknown that will plague this technology for the next few years.
It’s not that scary. Promise.
Photo credit: “bogeymen everywhere 1” originally uploaded by Voyager10