We happened to hire a former Cisco engineer locally. Suffice it to say, he was a bit surprised we had outsourced all of our equipment with no admin access. Moments later he had guessed the router password in less than 3 tries. And it turned out the service provider had used the same password nationwide on literally hundreds of routers protecting ultra-sensitive information.

Senior officials spent many months trying to cover up the security disclosure. The service provider is still in place to this day. As a backup of non-sensitive, encrypted data, I’m all for Cloud Computing. Otherwise, you’d have to be nuts!

Security is the separation of an asset from a threat.

Cloud computing is distributed computing + distributed applications. A more granular/hip way to say this is: vCompute, vStorage, vNetwork, vApp. Cloud computing brings all assets to all threats. It’s the opposite of security.

“Cloud Security” is an oxymoron. Please also see: http://rationalsecurity.typepad.com/blog/2008/12/alistair-croll-on-cloud-security-the-sky-is-falling-and-apparently-logicfacts-are-too.html

Enterprises have deployed a great deal of process and automation to govern IT policies. Today, governing IT policy for cloud resources through these customer interfaces is disjointed from these processes and automation tools. And because these interfaces are publically accessible from the internet, the risk is amplified. For example, most enterprises have identity management systems to automate employee onboarding, offboarding and role changes. When a disgruntled employee is fired, he/she is set as inactive in the identity management system and all of his/her infrastructure and application accounts are disabled automatically, including VPN access to the systems he/she might want to compromise. Even if there is no automation tool, there is likely a process checklist HR drives to accomplish the same result.

Most enterprises are unlikely to even have electronic tracking of what cloud resources an employee has access to, let alone processes or automation tools to ensure they are all disabled and data secured. So in the scenario of the disgruntled employee, the identity management tool revokes his access to all internal systems and applications, but don’t know he/she has admin access to a dozen important EC2 instances in the cloud. And because the EC2 instance is internet accessible, revoking his VPN access did not provide the second line of defense it does for systems that reside in a corporate data center.

This is just one example. You can find many ways in which cloud infrastructure is not yet integrated into enterprise process and automation. All of the arguments for controlling VM sprawl with process and automation in the enterprise data center are amplified when the resources are outside the corporate membrane.

Until IT systems and processes are able to govern cloud infrastructure and applications as a simple extension of the enterprise, cloud definitely does present a security risk.

Couple that with the stickiness of cloud offerings (once you have uploaded 5TB of data to the cloud can u be arsed moving vendors?) once the data in in the cloud the user is potentially tied to the vendor (and any changes in price structures) for a very long time.

1) Not your employees. What’s stopping a network administrator at Cloud, Inc. , who knows the security weaknesses of the gigantic storage network better than anyone, from doing anything different than your own employee? Say they get ticked or fired. They could just as easily disable security services on their way out as your own employee.

2) Security of data. Maybe the physical network is secure, but there isn’t anything more than EULA or privacy policy standing in the way of big cloud companies doing deals with other companies that would like access to all that data they have. Even anonymized, crawling that data changes the game of data privacy.

Is Windows less secure then OS X or Linux? The Answer, like it or not is no. But Windows is perceived to be less secure and therefore it is, at least in the eyes of the those making the IT decisions Potential cloud customers/users believe that security is a problem with cloud computing. This is a fact. I experience it everyday. The problem that we in the cloud industry must face is the question of trust. A lot of enterprises trust IBM, Cisco, Oracle, ATT, but are not so sure they trust Amazon or some random startup they’ve never heard of. We need to address this first and foremost. Your points are valid but only if you’ve already made it over the initial barriers to entry which we haven’t yet done.