The Truth about Cloud Security

Still remember when I was introducing cloud security to a Hong Kong journalists back in 2011 winter at WanChai (HKSAR), we were having a lunch meeting and she was researching on cloud computing. At that time, running servers at a remote site was still a wired idea. As always, the question “Is it safe ?” was asked. This question was asked spontaneously (if not involuntarily) when I mentioned the data is processes at an outsourced data centre. The person asking this question actually do not distinguish if they are referring to unauthorised access while transmuting, physical risk of remote data centre or availability. Like commercial airplane first appears, when only 1% of the population flew, 99% asked “Is it safe?”

Fast forward to 2015, TechCrunch has an article on this issues “The Cloud Could Be Your Best Security Bet” and Ron Miller explained that major data breaches are from company with on-permises  servers :” Yet if you think about every major data breach over the last two years, whether Anthem, Sony, JPMorgan or Target, all involved on-premises datacenters, not the cloud.”

Ron made it clear that knowledge is the real differentiator, when protecting data. Company like Sony Pictures are not technology firm and their investment, staff recruitment and intelligence gathering capability is not able to match with company like Salesforce, Google, AWS etc.

There is another consideration, I like to complement his argument. For non-technology enterprise or company do not offer cloud computing product/services, investment in security controls is usually regarded as a cost centre, in term means cheaper is better. For company, like Google security is a product that they can sell. When evaluating security control investments, cloud services providers are able to invest much more than a bank or an airline company.

Although I agree with Ron’s observations, I have to point out that not all cloud services offering are the same. Again referring to the airline industry metaphor, running secure cloud computing platform is costly and bigger players has the economic of scales. Budget airlines usually operate flights to less visited airport and has a niche market. We are going to see similar trends in cloud computing.

This entry was posted in ISO 27001 on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup Powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s