Is Cloud Security’s New Mantra is ‘No Worries’?

Based on several new reports, as well as conversations I’ve had with CIOs recently, the cloud is either a “haven for cybercriminals” as one news service claimed, or cloud security is no different from other networking platforms and fears are overblown. Two extremely opposite views, I’d say. So which is accurate?

I hope I will find some answers at our upcoming Smart Enterprise Exchange event on the topic of cloud security. It will be a great opportunity to meet some of our New York-area members and to hear our expert panelists. But also, I admit that the topic itself is becoming more enigmatic to me.

In many circles, the main knock against public cloud services — that they are too risky for sensitive corporate data — seems to be losing steam. For instance, Joseph Puglisi, a veteran CIO and a co-founder of the Cloud Computing Consortium at Stevens Institute in New Jersey, suggests that large service providers can offer as much — or probably better — security than most businesses can.[Joe also spoke at our conference, read more here.]

Industry publications go even further and claim IT execs can quit worrying, and reputable blogs, like one by Irwin Lazar, VP at Nemertes Research, are practically proclaiming that the issue is resolved. Lazar writes: “By leveraging the positioning of security services outside of your network, you can identify and stop DoS attacks before you feel the impact.”

Can it be that simple?

It seems like only yesterday that IT executives were wringing their hands about the risks cloud models — along with mobile devices and social media — pose for their businesses. Just this week, the NASDAQ stock exchange reported that hackers had tampered with its systems.

Beyond that, risk analysis experts, such as Drew Bartkiewicz, Founder and CEO of CyberRiskPartners, warn that SLAs alone can’t prevent every possible occurrence. “Reliance on the premise that clouds are better at security than their customers does not equate to evaporated financial risk,” he writes in a current article posted on

Meanwhile, industrywide standards and government regulations continue to unfold, including a new U.S. federal standard known as the Federal Risk and Authorization Management Program. FedRAMP was released to supplement the widely used Federal Information Security Management Act (FISMA) requirement for vendors doing business with government agencies. Many experts, including Gartner in this report, have outlined steps to protect data in the cloud.

As usual, I suspect that the cloud security issue is not as black-or-white as some may suggest. I have blogged previously about the complications of IT security, and on this Smart Enterprise Exchange community site last year, experts, such as Nils Puhlmann, co-founder of the Cloud Security Alliance, said that “some of the worries are unfounded.” Yahoo CIO Michael Kirwan also claimed that the biggest risk for his company would be not adopting the cloud at all. And our webcast panel in November debated the topic, as I noted in this blog.

On balance, this assessment seems sound: “Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyberdefense,” according to the Center for Strategic and International Studies. The report, "Cybersecurity Two Years Later," is a follow-up to "Securing Cyberspace for the 44th Presidency," which the group issued in 2008.

Amid all of these conflicting reports, CIOs face a dilemma: They need to act quickly to cut costs, increase agility and provide on-demand services to business users. Therefore, they would like the security “bugaboo” to disappear. “We must push the envelope,” James Williams, CIO at NASA’s Ames Research Center, was quoted as saying recently. His group is developing an Infrastructure-as-a-Service offering for the entire agency. “It’s not so much about making the cloud secure, but about using the cloud to leverage best practices in security across an enterprise,” he said.

See original publish location:

Real Time Web Analytics