Cloud Security: Best Left Understated

Cloud security has received a lot of attention over the past few weeks as result of both the RSA Conference and the Black Hat Europe taking place in mid- to late-April. The RSA Conference, especially, got boatloads of attention thanks to the Cloud Security Alliance making its official debut at the event. And while I’m happy security is getting all of this attention — it’s a huge concern — I’m afraid the rosy state of affairs being conveyed by certain experts will actually have a negative effect on the industry.

The Cloud Security Alliance has been a particularly egregious culprit, claiming that the cloud is already safe enough for enterprise use and will improve quickly as the economic conditions drive adoption. But the Cloud Security Alliance is not alone in making hyperbolic-seeming statements about cloud security – even CEOs of security vendors are saying that cloud computing might be the answer to corporate security concerns.

It’s not wrong to view cloud security with such optimism, I just fear that customers already overwhelmed with cloud talk might consider these statements just more unproven hype. All it will take is one public failure to get everybody shouting about how unsafe the cloud is, and they will not have forgotten about statements to the contrary. (Not that optimistic claims are more dangerous than the gloom-and-doom visions being proffered by others.) Wouldn’t it be better just to understate the prowess of cloud security as something that is stable and on which the security industry will continue to make progress?

Early adopters will figure out security for themselves, but the majority of potential customers are far from moving to the cloud at this point. From what I’ve seen and heard, the latter group — those countless companies without highly skilled IT teams and Fortune rankings — actually seems to resist cloud computing more as the hype builds up. My suggestion is that experts continue to make cloud security the best it can possibly be and worry about marketing their success later; when the mainstream finally overcomes its litany of concerns and is ready to even consider making the move to the cloud, they’ll find that security isn’t quite the issue they thought it would be.

And for the sake of clarity, let’s acknowledge the difference between cloud security and security in the cloud — the former being the subject of this commentary, the latter being security products offered as cloud services. It’s not that the two aren’t related (as someone using Panda’s Cloud Antivirus program, I hope cloud security is mature enough to protect security in the cloud), but interchanging them as one and the same will just spur more confusion.

Question of the week

Is cloud security ready for primetime?