My blog posting yesterday, criticising the Cloud Security Alliance’s paper on Top Threats to Cloud Computing created a few comments and discussions on whether the risks are actually any different from other forms of in-house or outsourced computing. Here’s my take.
Cloud computing is a rich subject, with many variants of service delivery and service usage. The risks vary considerably, but one thing is guaranteed: you lose visibility and control of what’s happening to your data.
From a threat perspective, the only difference is that a large collection of data will attract attacks that an individual organisation might not. From a vulnerability perspective the main difference from conventional outsourcing is that you’re buying a standard service, so you can’t expect the same scope for due diligence inspections, negotiation of terms and personalization of security.
For more on this, look out for my forthcoming book “
Managing Security in Outsourced and Off-shored Environments
: How to safeguard intellectual assets in a virtual business world” expected to be published by BSI in May. The book has a most attractive cover, featuring a clown fish in a sea anemone. The clown fish is one of very few species of fish that can avoid the potent poison of a sea anemone, so it’s an appropriate analogy.