The Centre for the Protection of National Infrastructure (CPNI) has just published a briefing note on Cloud Computing, compiled by Deloitte. It’s a useful snapshot of the latest fashions and jargon on this fast moving subject. Unfortunately, it fails to connect with reality when it comes to the security recommendations.
None of the key recommendations strike me as being practical. They include measures such as customer-managed encryption, tough terms and conditions, consideration of all legal implications for every location involved, and heavyweight due diligence and auditing.
The whole point of Cloud Computing is that it’s primarily a low cost, commodity service based on take-it-or-leave-it services from unspecified locations.
It would grind to a halt if every customer demanded different terms and conditions, attempted to encrypt their data and exercised audit rights. Risk comes with the territory.
What’s needed is coordination of customer security requirements and tougher, independently assessed security standards. As for encryption, I can’t envisage how any service provider can adequately support a Software-as-a-Service application without access to the data.