First Oracle with “Unbreakable” Now IBM “Guarantees Cloud Security”
I'm heading out in a few minutes for an all day talk, but I choked on my oatmeal when I read this:
Despite all the hype surrounding cloud computing, the issue of security is one debate that will not go away. It is regularly flagged as one of the potential stumbling blocks to widespread cloud adoption.
He said: “We’ve developed some interesting technologies that allow the separation of applications and data on the same infrastructure. We guarantee the security through Tivoli Security and Identity Management and Authentication software, and we also ensure the separation of workloads through the separation of the virtual machines and also the separation of client data in a shared database.” Speaking to CBR after the press conference, Kloeckner went into more detail about IBM’s cloud security offering.
“Security is not essentially any different from securing any kind of open environment; you have to ensure that you know who accesses it and control their rights. We have security software that allows you to manage identities from an organisational model, from whoever is entitled to use a particular service. We can actually ensure that best practices are followed,” Kloeckner said.
Kloeckner added that most people do not realise just how vulnerable they really are. He said: “Most people, unless forced by regulations, usually treat security as a necessary evil. They say it’s very high on their list, but if you really scratch the service, it’s not obvious to me that best practices are followed.”
I wonder if this guarantee is backed up with anything else short of a "sorry" if something bad happens?
This will make for some very interesting discussion when I return today.
/Hoff
If you "scratch the service"???? Is the cloud itchy?
It sounds like Kloeckner is talking about data access through an application. This is the situation where a user is doing things "the right way" and using the application for its intended use. By integrating my app with Tivoli Security and Identity Management and Authentication software Kloeckner says that requests for data within that application are guaranteed to be secure. Basically you can't access my confidential health records if we're both using the same self-service health record app. By using Tivoli for authentication and authorization the app dev. team is freed up from implementing (and screwing up) their own A&A scheme.
This is fine but it's only one aspect of securing digital assets. I would expect correct A&A from any application I use today, desktop or Web 2.0. Kloeckner discusses security strictly from an identity management point of view. When fear-mongers think "cloud security" they're thinking about all the other scary data access points. Direct access to a shared database, sniffing data over on wire, plugging a rogue Dreamcast into a switch, plain-text data sitting out in the open, questionable hardening of production environments leading to unauthorized code modifications… None of these things can be addressed by identity management services.
Cloud computing is as secure or insecure as you make it. People still need to be smart about what data they put out there. They need to be as careful as they should be when the app is kept in-house. The problem is that no one is careful in-house.
This is certainly the way to go with Cloud Computing.
If you are not going to bore me with details about how you protect my information and you are confident that you can protect it then at least guarantee it.
Of course, the value in this would be how strong the guarantee is. As you say, "We're sorry, mate" is not going to cut it.
I would expect that the provider pays all damages.
On the other hand, the two issues that come to mind are:
1. Most companies don't find out about a breach themselves even if it is on their *own* network. And, certainly, when there is money involved IBM (for example) is probably not going to go out of their way to alert you to a breach. I could be wrong.
2. How do you prove loss? Measurement of monetary loss due to information breach is very difficult to prove. And putting a value to reputational damage even more so.
IBM would be silly to have a blanket cover (because a dedicated hacker can get into anything) so they would probably only guarantee against breaches caused by mistakes.
I like the discussion points by Allen. We could transfer the discussion to whether or not the cloud services have similar or better protection than you expect, than existing? proposed the similar cost or averagely accepatble cost.