Cloud computing is more secure than you think

With frequent backups and stringent security policies, cloud vendors often run much tighter ships than other organizations

Recent security problems with Google's cloud offerings have sparked a flood of questions about whether or not cloud services are ready for prime time. Are they sophisticated enough to handle the world's mission-critical applications reliably and securely? In my view, the answer is a resounding yes. Choosing one or more cloud service could, in fact, reduce expense and security risks for the average company.

That view may come as a surprise in light of the dozens of stories that emerge each week summarizing various cloud failures. Those failures aren't the norm, though; it's just that the media makes more money when it reports bad news instead of good. How many articles have you read about cloud vendors with 99.999 percent uptime and availability? How many news alerts have you seen this year discussing the cloud products and services that experienced no significant security issues? Not many, I suspect.

[ Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in InfoWorld editors' 21-page Cloud Computing Deep Dive PDF special report. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]

Over the last 10 years of my career, I've performed hundreds of security reviews at an array of organizations. In general, the average company has dozens of security gaps, many of them of the highest risk. It's never a surprise to the companies that have hired me. Heck, the participating staff usually knows of far more problems, but there's little incentive for them to volunteer information. It's common to find huge policy gaps, unpatched software on mission critical servers, bug-filled applications, spotty data restoration, and a myriad of maliciousness.

Most of the cloud providers I review, however, fall at the other end of the spectrum: They have highly focused and fairly locked-down environments. Instead of the 40- to 90-page report I typically deliver, my reports to cloud companies tend to be 5 to 20 pages long, citing only a few problems. The bigger the cloud vendor, the fewer problems I find on average.

The biggest cloud vendors are in huge, globally distributed data centers with very narrowly task-focused employees. In order to serve a wide range of clients and provide the best service, cloud vendors must have their policies and processes down. Physical security is as tight as can be. Everything is actively monitored and keyed to actionable alerts. If an action can be automated, it is. The fault-tolerant features are redundant-redundant, as if two of everything isn't enough.

1 2 3 Page 1
Page 1 of 3
Make your voice heard. Share your experience in CSO's Security Priorities Study.