OpinionsOutsourcing

Earlier this week I traveled to Gartner's Security and Risk Management Summit to try to get a sense of what's at the top of information security managers' agendas in mid-2010, a time when (hopefully) many businesses are pulling out of recession mode and ramping up long-delayed security projects.

There's certainly more overall optimism than I've seen in some time, but my most surprising discovery was that security pros can't get enough of the cloud. For instance, as I wrote earlier this week, I couldn't help but notice how a large audience of security pros was captivated by two Google Enterprise desktop security case studies, even though neither one offered much talk about security.

During a case study presentation about secure Web gateways, one of the first questions from the audience was whether the speaker's organization had considered a cloud-based gateway. And in my one-on-one conversations with attendees, the cloud was consistently one of the first and most enthusiastic topics raised.

So my question is this: Have you all gone crazy?

I'm not sure why infosec's finest have suddenly become so enamored with the cloud. Maybe it's the promise of across-the-board cost savings for IT. Maybe it's the simplicity of having fewer in-house systems. Maybe it's the pipe dream of making security of the organization's data someone else's problem.

As a public service to you, our readers, I wanted to offer a brief, far-from-comprehensive reality check. For starters, it should be noted there's no such thing as standardizing security for the cloud, because there's no such thing as a standard cloud. Outsourcing infrastructure, platforms and software all require different security measures. There are hosted public clouds, private cloud, hybrid clouds, community clouds... you get the picture. With cloud security, there's no one-size-fits-all strategy.

There are many other more specific points worth considering. Here are a few:

The risks of cloud computing outweigh the benefits, according to nearly half the respondents of a recent ISACA survey of 1,800 members; only 10% of respondents' organizations plan to use cloud computing for mission-critical IT services.

The Cloud Security Alliance says there are seven high-level threats to cloud computing that span all service models, and organizations eager to jump into cloud computing often fail to properly assess the risks.

There are still major questions about availability, backup, encryption, monitoring, incident response, and of course compliance, because enterprises are still required to remain compliant with the applicable regulations and laws when using cloud services.

During one particular conversation this week, a security pro gave me the sense that the acceptance of the cloud wasn't as much about security as it was about obscurity. If I'm outsourcing data alongside hundreds of other companies using the same service, if there is a breach, chances are someone else's data will make for a much more attractive target. Sadly, just because you're hiding your data under the same rock as everybody else, doesn't mean it's any less likely to be exposed.