RSA part 1 – Cloud Security
I’m not at RSA, but I’ve been reading some of the coverage of it.
A couple of Mr Coviello's comments about cloud security, as reported in Maggie Shiels’ blog at the BBC, make me a tad upset.
"Something is holding back the full realisation of this vision, and that in a word, is security"
And that was when Mr Coviello threw down the gauntlet to the audience telling them that they had to step up and "embrace the challenge and seize the opportunity" and ensure safety is designed and built in.
It's a bit like saying that those damn safety folks are holding back full utilisation of the roads, and that we safety officials should work to provide roads that can be traveled at high speed safely.
Sure, you can make safe(ish) roads, but there's also requirements for the cars to be safe(ish), as well as the drivers.
OK, that’s my disagreement with his initial sound-bite – but for the overall tone, I have to agree that it’s vital that Security is seen as a business enabler, rather than a choke-point where business process and information goes to die.
My take on cloud security
I see cloud computing as a great way for businesses to do what they have always done – to rely on someone who’s really good at a job, to do that job for them.
Most businesses don’t generate their own electricity, or build the roads that lead to them. They get other companies to do that for them. Similarly, if you’re not in the business of developing and providing data centre service, why should you be engaged in doing so?
It’s my hope that cloud computing leads developers to realise that if they can no longer trust or, at least own, the machines on which their software runs, they have to design their applications and data flow to match. I hope that this leads to developers writing more secure and robust applications, and encrypting or removing sensitive data wherever possible.
Sadly, I suspect that many developers and designers will instead say to themselves “the business has bought off / accepted this risk of running in the cloud, so I will just carry on doing the same unsecure application development that has ‘worked’ for me in the past.”
I’d greatly appreciate it if you’d be the first kind of developer. Thank you.