Home > Cloud Computing, Cloud Security, Software as a Service (SaaS) > Cloud Providers Are Better At Securing Your Data Than You Are…

Cloud Providers Are Better At Securing Your Data Than You Are…

November 21st, 2008 Leave a comment Go to comments

"Cloud Providers Are Better At Securing Your Data Than You Are…"

To some, this is a contentious point while to others it seems entirely logical.

I must tell you that I've witnessed this very assertion as it has been raised more times in the last few days than I can count.

Before I get into any more juicy bits regarding this topic, I wonder if you wouldn't mind popping over and reading a blog post I wrote in August, 2007 titled "On-Demand SaaS Vendors Able to Secure Assets Better than Customers?

Come to think of it, you can read the follow-on post to that one which clearly indicated my point when Salesforce.com and Monster.com (you know, those so-called "Cloud" providers) were breached.

Forgot about those breaches, did you?  Oh, that must have been because they were SaaS providers and not Cloud providers at the time.  Gotcha.

As you read these posts, first do so within the context of what we've come to know as software as a service (SaaS.)  Then kindly re-read it and substitute 'SaaS' with 'Cloud,' won't you?


I have more, but I'll wait till you're done.


  1. November 23rd, 2008 at 21:49 | #1

    Locking Down Your Cloud?

    How important is your data? What would happen if it got into the wrong hands? Do you think you could recover quickly if it all vanished?
    Now ask yourself, how secure is your cloud? Does your HR department know you have outsource the number crunching fo…

  2. November 24th, 2008 at 15:56 | #2

    I think your point from the second post is key: "It means making sure your policies extend and are applicable "outside the castle." As folks look to add cloud services to their repertoire, they need to raise the bar. Presumably, most service providers can do a reasonable job with things like access control and perimeter security. The question is how well they can dynamically implement your particular security or compliance policy in an auditable manner. Minimally, as a cloud operator, I need to:
    1) Have an mgmt interface/protocol to receive policy requirement from a customer
    2) Assess the policy and see if I have the infrastructure to support it
    3) See if I have the resources to support the policy and then arbitrate the new policy against existing policies I am supporting
    4) Implement the policy
    5) Accept the workload from the customer
    6) Provide documentation and an audit trail
    Should be interesting to see how this unfolds. 🙂
    Omar Sultan
    Cisco Systems

  3. December 17th, 2008 at 12:57 | #3

    Security- A casualty in the Sovereignty vs Efficiency tradeoff

    Cloud computing has been described as a trade off between sovereignty and efficiency. Where is security (aka Risk Transfer) in this debate?
    Chris Hoff notes that yesterdays SaaS providers (Monster, Salesforce) are now styled as cloud computing p…

  4. October 21st, 2009 at 09:26 | #4

    Hoff, another item to consider for many (most?) companies is this: The "cloud" providers had better do a lot better job than anyone because as they grow, they also become the biggest target of all (kind of like why there are so many worms/viruses that attack IE instead of Safari). If you are running a shop for an SMB or even for a not really big or famous company, it is fairly unlikely that you will be directly selected for an attack (however, you still get hit with all of the regular garbage such as web clicks, embedded attacks in e-mail, etc).

    There are quite a few "white hats" out there already breaking barriers in AWS … because it is the largest and easiest target.

  1. No trackbacks yet.