Cleantech Market Intelligence
Security in the Cloud
Some myths just won’t die. Even today, if you mention cloud computing, inevitably somebody responds, “The Cloud is just too insecure to put anything in there.”
First, as I’ve mentioned before, there is no “The Cloud”. There are many clouds – some public, some private, some shared, some hybrids of other clouds. NIST Special Document 800-145 is an excellent definition of cloud computing. If your computing environment meets that definition, you can rightly claim that you have a cloud. If it does not, please don’t call it a cloud.
As for the claim that cloud computing is insecure, my reply is, “Compared to what?” In two decades of cyber security work, I’ve examined several hundred large global corporations and seen first-hand the chronic underinvestment and shortcuts taken with in-house cyber security. Nearly every conference that I attend includes a progression of cyber security officers lamenting their inability to get anything funded. It’s not possible that those same people who cannot get anything funded have managed to deploy such wonderful cyber security in-house.
The most sophisticated cyber security for traditional closed networks with PC-based storage is beyond the reach of all but the largest companies. Yet cloud vendors implement it as a matter of course because they spread the costs across a client base. The incremental cost of adding one more client to a cloud is much lower than standing up a complete in-house environment. Also, the continued existence of a cloud provider is much more dependent upon its cyber security than the continued existence of a utility. So the investment case for a cloud vendor’s cyber security is easier to write. Otherwise the company will fail.
Some of those expensive security features include:
- Security Incident Response teams that are full-time staffed 24/7
- Sophisticated detection tool, such as Network Behavioral Anomaly Detection
- Sophisticated security event correlation, with predictive capabilities
- Geographically diverse double or triple redundancy of all data, networking, and computing assets
- Subscription to threat and vulnerability intelligence services
- Working relationships with Information Sharing and Analysis Centers (ISACs)
What’s more, security teams at cloud vendors usually have a broader view of threats and vulnerabilities, simply because they see what is happening at many clients. In-house departments often do not have this visibility into threats in the wild.
Some in-house IT departments may fear the loss of control that comes with any type of outsourcing. That is understandable. However it is equally true that managers of many in-house systems – AMI or otherwise –have taken shortcuts when deploying cyber security, betting on the relative isolation of the system to protect them – the now discredited security by obscurity. Conversely, smaller utilities that cannot afford in-house systems face most of the same security threats as do large utilities. And yet, it’s rare to hear a smaller utility cite security concerns as an obstacle to cloud computing. This may have less to do with utility size and more to do with pragmatism. And when a lot of smaller utilities operate in a single private cloud, it begins to look an awful lot like the operating environment for one large utility. Cloud computing can provide a secure environment.
But does that prove that clouds are more secure than other environments? Of course not. Like anything else, good security depends upon how effectively it is planned and implemented. But cloud computing certainly presents the opportunity to have a more secure system. For smaller utilities, it may be the only opportunity.