Mark Everett Hall at Computerworld posted recently on cloud computing security. His assertion is that cloud computing is likely to be safer but more importantly we really need a quantitative study to address the issue:
data center will be safer [PL: I think he means riskier here] doesn't mean that it is, especially when
there's no data to support the logic. I admit there's also no data to support my logic, which is why the industry needs a detailed study of which approach is empirically safer.
As much as I am a believer in empirical evidence, I don't see how this is possible in these circumstances. I think you could do a quantitative study to, say, evaluate the attack surface of the various hypervisors out there, but cloud computing is sufficiently ambiguous and existing data centers so complex that this is impossible.
I think the point he is missing is that risk is relative, so it is perfectly reasonable for the cloud to be more secure (less risky) for some group of people and less secure (more risky) for others. It depends on your existing architecture and procedures. (We have a tendency to say something is "safer" without answering the question, "safer than what?" This is a crucial comparative that is left out.)
I addressed this same issue in virtualization with my Five Immutable Laws of Virtualization Security. The goal is to understand what might be different and compare it to a current state. With cloud computing, I have a list of issues worth evaluating from a risk perspective. Here are some of them:
- Physical access at data center vs. cloud service provider. We are transferring physical security to a third party.
- "Uber" administrators. There is an added level of administration required to assist in troubleshooting, etc.
- Physical vs. logical separation of computing resources. Evaluating communication channels can be challenging when we rely on our typical backgrounds where physical separation is implicit.
- Commingling of resources. Depending on how resources are aggregated for economies of scale, enterprises may share risk associated with other entities' resources.
- Internet facing resources vs. private resources. Accessibility of IP addresses and ports from the Internet changes the threat opportunity.
- External clients vs. internal clients. The other side of the point above, it is reasonable to expect a change in where the endpoint connects to the cloud.
- Administrative functions. After determining responsibilities, an organization can assess whether these functions are likely to be done more effectively or less effectively in the cloud.
For each of these points, it is fairly easy to envision current-state situations that either have more associated risk or less associated risk. So there is no clean ubiquitous answer, it all depends. One can, however, conduct a risk assessment and evaluation that will answer the question based on their specific circumstances.