Ugh, the Cloud
The cloud this and the cloud that. #$%* the cloud. I'm not putting anything important up there because who knows what the hell those sky people are doing with my data. I just don't trust them. My data is 10 times safer down here in my datacenter at HQ.
Above is a statement that has some truths and also some false assumptions about the cloud. Frequently I have conversations with IT professionals and others who do not like the idea of putting their data in the cloud. It isn't so much that they don't trust a specific vendor. They just feel they can protect their data better themselves. In some cases that may be true.
Let me ask a couple questions to those of you that feel you can protect your data better than a well regarded cloud provider that you have put through a 3rd party review process. How many people do you have on your security team? Does your CISO report to the CIO? Are you regularly scanning your environment inside and out? Do you pentest your web applications before you put them out on the Internet? Do you have a bug bounty program? What kind of security monitoring do you have in place? Is the monitoring 24/7? Do you have an incident response team? What about staff that can perform forensics or find indicators of compromise?
I frequently see organizations overestimate their security. Sure a pump shotgun next to the bed provides some security, but it isn't the same as a couple hundred Marines surrounding your house. While a shotgun may be plenty of protection in the majority of neighborhoods in the U.S., it isn't enough protection for IT infrastructure that is connected to the Internet. What I am getting at is this. If your security team is one, or none, then the chances of detecting an attack and exfil of data without some heavy reliance on a managed security services provider are pretty low.
Now that doesn't mean that every cloud provider practices good security. There are many that do security well and just as many that do it poorly. That is where 3rd party review comes in. Quiz and test cloud providers before you use them. Never just take the word of anybody that sells software or any tech services as the truth. Most of what we get on vendor websites and from sales reps is fluff that has no meaning (I don't mean to offend, sales staff are important, but seriously a lot of marketing is just ridiculous). Make them prove what they claim about their security through 3rd party reports, certifications, auditing and etc.
By now you've probably realized I'm not against using the cloud. The cloud is really great in that you don't have to worry about managing infrastructure and other boring stuff. If the cloud is done right, it can provide good value and be as or more secure than hosting locally in your corporate environment. So don't fear the cloud, just question the crap out of it until you are confident it can provide the utility you need securely.
Disclaimer: The views expressed here are mine and mine alone.
Information Security Auditing, CISA(Certified Information Systems Auditor) - Author - "Too Late, You’re Hacked!"Creating Security Policies and Vulnerability Assessments - Defend before you're hacked
8 年Testing your thoughts and providers is always a good thing