Services in the Cloud, Security in the House

Reading through the Cloud Security Alliance (CSA), I was struck by a basic theme that addresses some architectural reservations that have emerged elsewhere. As we pointed out in an earlier post, the cloud fear factor is ramping up significantly. A recent blogger has even claimed that cloud "mega-hubs" will be a favorable terrorist target, and may result in a digital 9/11. Cloud mega-hubs are nothing new. Consider the DNS system -- repository of domain names and network mappings, available over the network as a utility. This mega-hub risk has existed for some time, and thus mega-hubs, in themselves, may not necessarily represent a new risk.

In any case, a relevant theme emerges through the CSA's Guidance. A few choice quotes that illustrate this theme:

"Unencrypted data existent in the cloud may be considered 'lost' by the customer."

"Segregate the key management from the cloud provider hosting the data, creating a chain of separation."

"The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization."

As you can see, the theme is that security starts in the home. So, while the security risks of the Cloud may actually be overhyped, the best solution is draw a distinction between the cloud business service functions, and the governance activities that surround your organization's consumption of those services. Be sure you encrypt your own data before it is sent to the Cloud.Manage your own users internally before you begin federating, and ensure that you have native capabilities in house (for example, your own standalone SAML authorities) before you begin looking outward. Use Cloud services for their business benefits. Keep your hands on the reins when it comes security and governance.