Security in the clouds

We’ve seen a fair bit of media coverage over the last week about the launch of Google’s new Chrome operating system, and how this will herald a new era of cloud computing. One thing that’s interesting is the fact that the jury is still out on the security implications of cloud computing. On the one hand we’ve already had a few doomsayers predicting a terrorist disaster. And on the other hand we have observers such as Bruce Schneier reassuring us that we little to fear from the odd outage of e-commerce sites. Where does the truth lie?

The reality is that there is no one technology solution that will sweep across the business sector. Cloud computing can be implementing in-house as well as in external clouds. And secure, private implementations will undoubtedly appear to appeal to security-minded enterprises. It will certainly not be a rapid take up. Legacy applications are difficult to eradicate. But let’s be honest. A lot of cloud computing applications will be implemented by business units well before security managers have assessed the risks and identified the range of solutions that are necessary to mitigate the risks.

Security always lags behind the situation on the ground. In the case of cloud computing, however, the business risks of vendor lock-in or bankruptcy are probably more significant than the security risks, at least in the shorter term. But do not underestimate the longer term implications. Because however you implement it, cloud computing will result in a substantial loss of direct control over the management of systems and infrastructure, and, more than likely, create a fresh set of single-point failures. As Bill Gates himself once observed, we tend to overstate what will happen in the next few years and underestimate what will in the next ten.