Shostack + Friends Blog Archive


You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with the cons:

  1. The cloud vendor doesn’t understand your assets or your business. They may have an understanding of your data or your data classification. They may have a commitment to various SLAs, but they don’t have an understanding of what’s really an asset or what really matters to your business in the way you do. If you believe that IT doesn’t matter, then this doesn’t matter either.
  2. The cloud vendor doesn’t have to admit a problem. They can screw up and let your data out to the world, and they don’t have to tell you. They can sweep it under the rug.

In the middle, slightly con:
Its hard to evaluate security of a cloud vendor. Do you really think a SAS-70 is enough? (Would you tell your CEO, “we passed our SAS-70, nothing to worry about?”) This raises the transaction costs, but that may be balanced by the first pro:

  1. Cloud vendors involve a risk transfer for CIOs. A CIO can write a contract that generates some level of risk transfer for the organization, and more for the CIO. “Sorry, wasn’t me, the vendor failed to perform. I got a huge refund on cost of operations!
  2. Cloud vendors have economies of scale. Both in acquiring and operating the data center, a cloud vendor can bring in economies of scale of operating a few warehouses, rather than a few racks. They can create great operational software to keep costs down, and that software can include patch rollout and rollback, as well as tracking and managing changes, cutting overall MTTR (mean time to repair) for security and other failures.
  3. Cloud vendors could exploit signaling to overcome concerns that they’re mis-representing security state. If a Cloud vendor contracted to publish all their security tickets some interval after closing them, then a prospective customer could compare their security issues to that of the Cloud vendor. Such a promise would indicate confidence in their security stance, and over time, it would allow others to evaluate them.

That last is perhaps a radical view, and I’d like to remind everyone that I’m speaking for the President-Elect and his commitment to transparency, not for my employer.

3 comments on "You versus SaaS: Who can secure your data?"

  • tim says:

    However – many users of outsourced systems (which all this is – outsourcing again) are not capable of ever securing the data to begin with so in many cases using such services is an improvement over standard practice today (which usually involves an excel spreadsheet). I am speaking of mom and pop shops or middle sized companies.

  • Ian says:

    General purpose, low cost utility or “cloud” infrastructure- (EC2), platforms- (appengine), or software- ( -as-a-service are unlikely to have very sophisticated security features built in. More likely we will see vertically targeted implementations that are sold at a premium. Or a layer on top of the existing service. Some applications simply won’t be amenable to centralized utility computing and will be much more cost effective and secure if run in-house, particularly if requirements are sophisticated and well understood. But the “cloud fanboys” really don’t want to hear that.

  • Cloud computing does not necessarily mean “give us your data”
    Yes, they are a client, but this one was so obvious.

Comments are closed.