Last week, Hoff pointed to a presentation by Mark Masterson on cloud security. Given Hoff's level of enthusiasm, I was underwhelmed by the content, but sometimes that can happen.

An excerpt:

My takeaways from Masterson's deck were:

1. You can't use the risk formula to "prove" that a complex system is "secure."
2. Cloud computing increases complexity, so you can't use it (the formula) or prove it even more.
3. Somehow, this proves that people that support "defense in depth" are wrong.
4. You are better off "finding ways to design systems that cope gracefully with uncertainty." (This, of course, is also unprovable.)
5. We need to stop thinking in terms of "security" and start thinking in terms of "health." 
6. The Cloud will be just as "safe" as "healthy" as you already are.

To be honest, I think there are HUGE holes in Masterson's logic (I still can't decide whether the first part was intended to be logical or simply analogous). That said, I agree with a lot of what he is saying, which boils down to a call for de-perimeterization and component-based security supported by autonomic computing.

I suppose my biggest criticism is that Masterson talks about "healthy" as if everyone agrees on what's healthy (and, analogously, what is "safe"). I don't trust/believe this by a long shot. Take, for example, this snippet from a recent NY Times article on health:

(This little snippet was my original inspiration for writing this post, though it sort of went in a different direction.)

Ultimately, I think people are much better off using the risk formula as a model to consider how things will change in their cloud environment – exposure to more users (sources of threats), potential for more components (attack surface), and effect on the consequences.