Cloud services are not secure enough for businesses to use, or at least that was the conclusion drawn by attendees of a debate at the giant US Interop show, although all of the participants acknowledged the real answer was more subtle.
Under the rules of the Oxford-style debate, the side that swayed more audience members to its position won, and in this case eight who initially said they thought clouds were secure changed their minds after hearing the arguments.
Allen Allison, the CSO of cloud provider Navisite, not surprisingly took the side that the cloud is secure. His argument was that security on par with what a business can provide itself is a necessity if providers want to survive. "Cloud providers have to incorporate the same type of security," he says. "If we couldn't do that, we couldn't have a cloud industry."
Also arguing for the safety of the cloud was Frank Kenney, vice president of global strategy for IPswitch FT, a managed file-transfer service. Cloud customers have the obligation to assess the risk of allowing data to be stored in a cloud based on how valuable it is to the customers. "Think of the business ramifications for your business if you believe there may be a problem," he says. "The cloud is as secure as you want it to be."
Ravi Rajogopal, vice president of cloud strategy for CA, cited the growing number of records compromised by data breaches over the past six years as a demonstration that risk is just too high to trust data to a provider.
Also speaking against clouds being secure was a John Pironti, president of IPArchitects security consultancy, who says customers can't get enough information out of cloud providers to make informed decisions about risk. "Clouds won't give you transparency," he says. "You don't get to see the controls."
He says 90% of breaches that disrupt businesses involve insiders, and that should be extrapolated to cloud providers. "If the cloud's so secure, why can't we verify?" he says.
Cloud services also expand risk to a customer's data, he says. If someone is angry with another customer who uses the same service and attacks the network to get at that one customer, all the customers are taken down as a result, Pironti says.
Kenney says cloud services can provide value if performance and service-level agreements align with what customers need. If not, customers shouldn't buy them. "It's not 'the sky is falling,'" he says. "Assign risks appropriately. Security is just one of many things you have to do."
Pironti says that criminals seeking to break into clouds laugh at Cloud Security Alliance recommendations about security and at payment card industry standards to protect credit card data. Shared management of customer accounts is the only type of transparency that providers offer, and it isn't enough, he says.
But Kenny argues that the benefits of using cloud services and market forces driving sound security will win customers over. Security will no longer be a worry. "In a year, you won't care," he says. "It's a free market system. Everything seeks its own level."