I saw an article yesterday that said that information security professionals believe that Cloud services should be assessed in the same way as any other outsourcing exercise. Whilst the need for due diligence is absolutely crucial, I question if the same metrics and parameters can be applied in the Cloud era, and more if a group with such vested interests in the status quo can be taken at face value. (Incidentally, in the autumn I was at an event where a man from Standard and Poors got up to talk seriously and earnestly about the future of the economy. I had to use all of my self control to not get up on my chair and start yelling obscenities about how it was his organisation that got us into this mess with their "predictions" in the first place.)
Anyway, why do I have such reservations about our information security colleagues? Well, because they generally fall into one of two broad categories: the useful, but sadly in the minority group who understand the concept of risk analysis and offer a judgement based on cost/benefit; and the majority who are obsessed with control and military analogies.
This latter category are, to coin a phrase, pissing in the wind in the Cloud era. If you put too much security around something these days, people will find ways around using their own devices and curiosity to get their jobs done. Rather than providing security, info sec these days is, I would imagine, inadvertently just pushing more and more business information out into the public Cloud.
Judge Cloud services just as any other outsourcing? Well if you do you may well find that you rule out their use because they don't fit with your old outsourcing models (multi-tenancy by way of example often causes issues), you don't implement things that therefore keep you competitive, and therefore either you eventually go out of business or, at best, you wake up one day to find most of your business information sitting on Facebook or YouTube. I'm not suggesting security isn't important- it is more important than ever- it is just that these days it is decentralised and much, much more complicated than a task that can be delegated to an information security team.
mmitII 