You versus SaaS: Who can secure your data?
In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with the cons:
- The cloud vendor doesn’t understand your assets or your business. They may have an understanding of your data or your data classification. They may have a commitment to various SLAs, but they don’t have an understanding of what’s really an asset or what really matters to your business in the way you do. If you believe that IT doesn’t matter, then this doesn’t matter either.
- The cloud vendor doesn’t have to admit a problem. They can screw up and let your data out to the world, and they don’t have to tell you. They can sweep it under the rug.
In the middle, slightly con:
Its hard to evaluate security of a cloud vendor. Do you really think a SAS-70 is enough? (Would you tell your CEO, “we passed our SAS-70, nothing to worry about?”) This raises the transaction costs, but that may be balanced by the first pro:
- Cloud vendors involve a risk transfer for CIOs. A CIO can write a contract that generates some level of risk transfer for the organization, and more for the CIO. “Sorry, wasn’t me, the vendor failed to perform. I got a huge refund on cost of operations!
- Cloud vendors have economies of scale. Both in acquiring and operating the data center, a cloud vendor can bring in economies of scale of operating a few warehouses, rather than a few racks. They can create great operational software to keep costs down, and that software can include patch rollout and rollback, as well as tracking and managing changes, cutting overall MTTR (mean time to repair) for security and other failures.
- Cloud vendors could exploit signaling to overcome concerns that they’re mis-representing security state. If a Cloud vendor contracted to publish all their security tickets some interval after closing them, then a prospective customer could compare their security issues to that of the Cloud vendor. Such a promise would indicate confidence in their security stance, and over time, it would allow others to evaluate them.
That last is perhaps a radical view, and I’d like to remind everyone that I’m speaking for the President-Elect and his commitment to transparency, not for my employer.