I just ran across Katie Fehrenbacher’s article in GigaOm that made a point I’ve been arguing (perhaps not strongly enough) for years. When you start talking to people about “the cloud,” you frequently run into a knee-jerk reaction: “Of course, the cloud isn’t secure.”
I have no idea what IT professionals who say stuff like this mean. Are they thinking about the stuff they post on Facebook? Or are they thinking about the data they’ve stored on Amazon? For me, the bottom line is: would I rather trust Amazon’s security staff, or would I rather trust some guy with some security cert that I’ve never heard of, but whom the HR department says is “qualified”?
And has your security guy, whatever his credentials, installed the latest OpenSSL patches? Amazon has. Google has. And I would bet that every other responsible cloud provider, certainly including Rackspace, Joyent, has. Azure never even had the problem (except on Linux images), since they weren’t running OpenSSL. A month after HeartBleed, more than 2% of the world’s online sites still hadn’t patched OpenSSL. And of course there have been more patches since then.
The argument Fehrenbacher makes is particularly interesting, since it hinges on the NSA and the revelations about their spying activities. It’s easy to say “yeah, Google is this great candy store of data, they’re in the cross-hairs.” Don’t kid yourself. If the NSA wants your data, they certainly know how to find you. Google and Amazon may be candy stores, but they’re at least candy stores with great big locks on the doors (and, at least for Google, using secure connections between internal servers). Can you protect your data as well as they can? It’s not just the NSA: it’s other governments, it’s organized crime, it’s even script kiddies. A recent experiment shows that, for as little as a penny, users will willingly download and install malware. The surprising, and gratifying, part of Fehrenbacher’s argument is that IT managers are realizing this, and are moving data to the cloud as a way to improve security.
I get it: there is a lot of data that can’t move to the cloud, not because IT managers don’t understand the issues, but because they need to comply with regulations that were designed before we understood the scope of our security problems. If you’re in one of those businesses, which includes most of the health and banking sectors, you’re out of luck. But if you think that your IT staff can protect you better than the security teams at the major cloud providers, think again.