John PescatoreI’m continually having conversations with Gartner clients along the line of “We are getting pressure to use cloud computing services, what are the security issues?”
As I mentioned here, 90% of the time it turns out the pressure is really to consume some application as a service, not really cloud computing. 9.9% of the remaining conversations are more about the potential security issues of private cloud use. Which makes sense, since Gartner has projected that the actual enterprise use of true public cloud services has been way overhyped. Tom Bittman has a nice series of blog posts on private cloud issues here.
Now, whenever the word “private” is included in the name of technology, many people leap to the conclusion that security is built in. But, usually all “private” means is a closed address space, not any guarantee that the necessary security controls are baked in. For example, calling MPLS a “Virtual Private Network” caused many to assume that transport encryption was built in, but of course it is not. In fact, Bjarne Munch and I have a Gartner research note in final review on the issues of adding encryption to MPLS.
The same issues are true with private cloud use. The scope of the problem is bounded compared to the use of public cloud, but the same assurances of keeping the bad guys out, securely letting the good guys in and keeping the wheels on are still needed. A major services and data center architecture upgrade to incorporate private cloud technologies could actually be a security upgrade over many current IT architectures – but only if security is thought about from the start. And not just including encryption – the issues of threat modeling, high availablity, retention, key management all need to be thought through.
So, the short answer: nope, just making something private doesn’t make it secure.
Category: Uncategorized Tags:
2 responses so far ↓
1 Encryption-Technology » Proofpoint Web Seminar | Email Encryption: Easier Than You Think August 11, 2009 at 3:07 am
[...] Does Private Cloud Equal Secure Cloud?Now, whenever the word “private” is included in the name of technology, many people leap to the conclusion that security is built in. But, usually all “private” means is a closed address space, not any guarantee that the necessary security … For example, calling MPLS a “Virtual Private Network” caused many to assume that transport encryption was built in, but of course it is not. In fact, Bjarne Munch and I have a Gartner research note in final review on the issues of … [...]
2 Gary Marsden October 13, 2009 at 8:49 am
Cloud delivered services, whether they are public or private, suffer from the self-same issues that have plagued enterprises, mid-tier organizations and SMB’s for years – Passwords. Businesses still think that it is OK to use a static password to secure a network, when in fact they are easy to hack, copy, steal or even purchase. Two-Factor Authentication has long offered a solution, but has also relied on the “on-site” server based requirement that has plagued businesses. Recent developments in Passwords-as-a-Service solutions that use the Cloud to provide multi-company/multi-tier architectures and 99.99% SLA’s are changing the dynamics of how you secure Cloud delivered applications – services from the cloud to protect services in the cloud.
Leave a Comment