Last week’s excellent ISSA-UK Chapter meeting, kindly hosted by KPMG, highlighted two interesting security developments in cloud computing.
The first was that this is a rapidly developing subject area. At the start of 2009, very little analysis on the risks and solutions could be found. Now we have several guidelines and can listen to a raft of articulate presentations on the subject.
The second is that some security thinking on this subject is misconceived: recommending that clients undertake rigorous due diligence, audits and real-time monitoring. That approach would bring vendor services to a halt and lead to a massive duplication of effort.
The whole point of cloud services is to deliver a standardized, uninterrupted service. Vendors should be persuaded to provide the highest level of independent assurances to clients. That’s where our attention should now focus: on agreeing the nature of the standards, assurances and ongoing information feeds that we need.