The Cloud Security Paradox
- Enterprises can’t/won’t adopt cloud because of the security.
- Enterprises are moving their security to the cloud.
These two statements would seem to be opposing, but they’re both true – and there lies the paradox.
When the conversation is about ‘as a Service’ such as IaaS, PaaS and SaaS then in most cases the first statement applies. You don’t have to look very far to find security at the top of everybody’s list about why they’re not doing cloud. This is understandable. Moving stuff to the cloud involves transitional risks (bad stuff happening when you change things) and outsourcing risks (other people’s screwups getting you fired), and risk=~security right?
When the conversation is about Managed Security Service Providers (MSSPs) then the second statement applies. The whole point of MSSPs is that they can bring to bear on the thorny problem of security monitoring systems and expertise that no single organisation could do for themselves. There was a whole session at WEIS 2007, chaired by Bruce Schneier, looking at the role of MSSPs in the overall security ecosystem(/economy). MSSPs are used by some of the largest and most conservative firms on the planet (like Swiss Banks) – exactly the kind of organisations that say they’d have a hard time adopting ‘cloud’.
“Ah”, I hear you say, “MSSPs aren’t ‘cloud’ in the same way that IaaS, PaaS and SaaS are ‘cloud’” – at which point we need to define ‘cloud’. My definition of cloud (which I steal shamelessly from Simon Wardley[1]) is that it is the use of IT as a standardised commodity sold as a utility. This definition clearly works for MSSPs and for *aaS.
What I find odd is the expectation that an MSSP view of cloud (statement 2) can somehow influence a ‘security stops me from *aaS’ view of cloud (statement 1). Here are some of the headlines that set off this cognitive dissonance (coming from this week’s announcement that Dell will buy MSSP SecureWorks):
- Dell’s SecureWorks Acquisition Plans Fit into Cloud Strategy
- Dell Secures Its Cloud Strategy With SecureWorks Acquisition
- Dell expands cloud security portfolio with SecureWorks
and others are clearly feeling that dissonance, and think that the deal is actually all about pushing back against the threat of ‘cloud’:
- Dell-Secureworks, big deal for the cloud? I think not
- Dell picks up security firm SecureWorks to slow migration to the public cloud
I don’t think either are a true view. Dell buying an MSSP is unlikely to move many of their customers towards cloud (if they’re digging in against ‘security’ concerns) or away from cloud (if they are enlightened enough to realise that cloud services can meet their security needs).
The heart of the cloud paradox is that large scale service providers can do things with security that their smaller scale customers cannot – something that was covered brilliantly by David Molnar and Stuart Schechter in their paper presented at WEIS 2010. So *aaS style cloud brings the same sort of security benefits as an MSSP style cloud (and both bring their own risks). The paradox will be resolved when more people realise this.
[1] and Simon would likely say that his definition actual comes from Douglas Parkhill and others.
