Reading this morning’s edition of “Investors Business Daily” (IBD), I was drawn to the Internet & Technology section where the main article discusses Financial Services firms, now having their security fears appeased, are now moving to the cloud. The thought really does come back to the fundamental question: “Are Cloud Services Secure?”
The push to the cloud, for financial services firms, according to IBD, is driven primarily by the need to reduce costs, and to handle more data using less staff. As with most things in business, cost is certainly a factor as business exists to make a profit. Yet, I found n real mention in the IBD article as to how the security concerns, previously held by financial services firms, had been appeased. The emphasis, at least as far as I read the article, was more on costs having priority over security.
Determining whether cloud services are secure requires a proper risk assessment which comprehensively focuses both on the cloud provider as well as the organization’s security program. Properly vetting the cloud services provider is an important first step to ensure that the provider has security programs and controls in place which meet the standards of the organization receiving the cloud services. The cloud provider should be able to provide evidence demonstrating their security posture, permit audit by customers, and have been audited by third party auditors demonstrating compliance with recognized frameworks.
Yet, even if the cloud services provider passes muster, this does not relieve the organization from the obligation to implement and maintain their own security controls. Breaches can and will occur, despite the security controls of the cloud provider, if the organization fails to maintain their own security posture. The failure then is not on the cloud provider, even though the data is hosted in the cloud, but rather on the organization for failing to implement and maintain appropriate security.
Back in the early days of computing, someone coined the phrase “garbage in, garbage out.” The same concept holds true in today’s cloud-centric computing environment, and we can appropriately re-phrase the line to state: “poor security in, poor security out.”
So to answer the question, “are cloud services secure?” we can reasonably say that they are as secure as the organizations which are using those services.