Cloud computing has been described as a trade off between sovereignty and efficiency. Where is security (aka Risk Transfer) in this debate?
Chris Hoff notes that yesterday’s SaaS providers (Monster, Salesforce) are now styled as cloud computing providers in his post . However it was just recently that these providers were attacked, had data stolen and then used in other attacks.
CIOs, under increasing cost pressure, may begin to accept the efficiency argument that cloud vendors have economies of scale in both the acquisition and operations of the data center.
But hold up…
To what extent is the risk transferred when you move data to the cloud? To a very limited extent, at most to the SLA. This is similar to the debate where one claims compliance (Hannaford, NYC and now sadly Mumbai) but attacks take place anyway, causing great damage. Would an SLA save the Manager in such cases? Unlikely.
In any case, the generic cloud vendor does not understand your assets or your business. At most, they can understand threats, in general terms. They will no doubt commit to the SLA but these usually refer to availability not security.
Thus far, general purpose, low cost utility or “cloud” infrastructure (such as Azure or EC2), or SaaS vendors (salesforce.com) do not have very sophisticated security features built in.
So as you ponder the Sovereignty v/s Efficiency tradeoff, spare a thought for security.