Tuesday, April 6, 2010

Cloud Security: FUD

FUD stands for Fear Uncertainty and Doubt.  Big vendors scare the heck out of most customers - "you don't have any security and you need this, this and that ..." - to some extent it is true, but, many customers can't afford the cost as no simple solutions are proposed.  With different view points and ideologies customers face lot of uncertainty in buying solutions or architectural philosophy.

An article on Cloud Security: Good Bad and Ugly highlights some of the FUD.  The questions asked are very much valid (I have updated a few with my interpretation):
  • Who audits (security, data storage and use, updates to provider infrastructure may change security threat model, etc) a Cloud provider?
  • Are background checks done on the Cloud provider operators?
  • How is data stored on Cloud provider protected - from hackers, Governments, disaster, etc?
  • Some Cloud providers have teamed up with boutique security consulting firms.  What does it really mean?
It is wrong to state **anything** is insecure - these blanket statements are harmful.  Exact scenarios on how a service is used must be clearly determined and security testing must be appropriately applied.  Security is not black or white - it is Risk Management.