Last week’s CSO Interchange roundtable centered on “Barriers to Cloud Adoption”, with talks on identity issues from Jericho Forum’s Paul Simmonds and SSL from security researcher Moxie Marlinspike.
CSO Interchange’s discussions are held under Chatham House rules, but founder Philippe Courtot, CEO of Qualys, subsequently talked to Infosecurity about his own view on the barriers to cloud adoption. And it seems that a lot of it is propaganda. “There is a lot of misinformation around because the established players don’t want to hear about the cloud,” he told us. “They are not ready, and it is a threat to their business. The cloud doesn’t inhibit people – it is the implementation of the cloud that matters.”
The paradigm for securing data in the cloud is different to that for securing data in the enterprise, but surprisingly, claims Courtot, it is easier. “Securing the in-house infrastructure has become more and more difficult – if not impossible.” New products, distributed architectures, new connections with new networks all have to be understood by the in-house admins. “Conversely, securing data in the cloud is simple to understand.” Conceptually, the cloud allows users to separate data from hardware and applications, and concentrate on the data itself. It is the cloud provider that handles everything else.
One of the big concerns for many companies considering a move to the cloud is legal compliance with data protection laws – ensuring for example that European data remains within Europe. But “it’s pretty simple,” he says. “It’s not that big a problem.” Courtot makes two points. Firstly, home personal computers pose the bigger threat to privacy because by definition they contain personal information. Corporations can more easily separate and protect any personal data they hold. Secondly, it’s all down to the contract with the cloud provider. “If you have a contract with a cloud provider to keep your data in a particular data centre within Europe, he will do just that. Any provider that fails to comply with his contractual obligations will very soon go out of business.” Market forces will protect personal data.
“Today,” he concludes, “we are sitting between two chairs – we have the old system that is becoming harder and harder, if not impossible, to secure – and the new system.” There is still much to do, still much to learn and understand, but we had better get on with it, because, “in the meantime, the bad guys are running riot in our enterprise networks.”