The topic of security in the cloud has been around for a few years and practiced in bits and pieces, but has been heating up lately. Pundits are pontificating, cloud blogs are online, cloud security startups are hiring, established companies are launching new products - I mean services, so the cloudbuzz seems real enough. It is probably not a bad idea to look into security in the cloud and see if we are all talking about the same thing.

An evolutionary aspect to security in the cloud is the business of putting traditional security functions into a hosted platform, with the low hanging fruit being perimeter-facing functions like gateway antivirus and spam filtering. ScanSafe is an oft-cited example of a first mover in this space. It is evolutionary in that it is essentially taking MSS one step further. MSS has grown by creating efficiencies by outsourcing some of your security people and management systems, but leaving your security hardware in place. Security in the cloud is eliminating the hardware from your point of presence as well. This seems like a logical progression - having just enough experts in managing gateways and blocking malware using just enough hardware and bandwidth (ok, sometimes “not enough” - that’s what SLAs are for).

It gets more challenging as we seek to provision cloud services that solve security problems in locations other than the perimeter. A cloud service can manage policy-based encryption from Internet point to point. It becomes much more difficult to manage the internal slice of the corporate encryption policy - not impossible, but an organization will likely try to solve this problem with a cloud service and a traditional product suite at the same time, risking policy violations and data breaches from a disjointed approach. In this new world of hybrid security via cloud and traditional products, security architects will need to work overtime to develop solutions with integrity.

So, aside from evolving security we know today to hosted services, what else do we mean by security in the cloud? To me, it means securing the cloud itself. As organizations move towards more line of business applications running as Software as a Service (SaaS), they are bypassing carefully architected controls that no longer apply. A wide variety of new security solutions need to be built to address the new complexities of information residing anywhere, hosts that are really a VMWare instance and data centers that you will never see.

So the question before us is, “Is security in the cloud good security?” Cloud security can only succeed within limited boundaries if as businesses we conservatively adopt SaaS. Cloud security is strategic if it evolves to manage enterprise SaaS applications. So the real question becomes, “Is SaaS good enough to run my entire business?” Another formulation is to understand the cost savings that SaaS is delivering and determine if we are faced with an increased risk offset. In the long run, I feel that investing in SaaS and securing it natively will certainly be more cost effective and secure. I say this with all due respect to enterprise security practitioners, but in my experience they generally are not as well versed in the technology as the practitioners within the MSSPs or vendors that are living with it 7×24 in many different environments. Outsourcing the technology and not the business acumen is logical on the face of it. What I can’t predict is when we will reach the point of SaaS being provably more secure than the alternative and how many CISOs need to get thrown under the bus until we get to that point. What did Keynes say about the long run?