Great article James. What we find disturbing in the SaaS industry is how little security means to a lot of businesses and concur with all your key points. Businesses without adequate measures in place to protect them don't understand how easy it is for their data to be compromised until it's too late. As a result 9 out of 10 don't probe nearly deep enough and on a general basis assume that all SaaS / Cloud providers offer the same levels of security & service. HOW WRONG THEY ARE! The next year or two will be facinating to watch and we believe there will be a radical shake up in the evolution of Cloud computing as a result of businesses getting burnt first time round and taking a closer look at providers and what they offer before committing again. Remember, buy peanuts and you'll get monkeys....

This has been a spectacular and very valuable conversation with some outstanding insight. We are going to produce something on this for Outsource magazine (www.outsourcemagazine.co.uk) in conjunction with the original author, James Rees, and hopefully citing as many of you as possible (though with this many great comments it is going to be a struggle even scratching the surface I think!). Congrats to all of you for really pushing the debate here - and of course to the comparethecloud team for facilitating.

I would like to thank everyone for some amazing input, it is good to see such lively debate, if any of you have anything you want to take offline and discuss then please feel free to contact me at: James.rees@razorthorn.co.uk and of course please feel free to add me in linked in!

'Security' is arguably as amorphous a word as 'cloud'. Depending on your perspective it can fuel your fear, uncertainty and doubt or it can stimulate your protectiveness toward your company, brand, data and customers. One thing is for sure, like cloud there is no one-size-fits-all approach, nor is there a common understanding or a simple approach to achievement. Equally, like cloud, the issues of security, can tend to get exaggerated to fit an agenda, which is not to say security issues are not real, I would just argue they are as real on-premise as they are in the cloud and any professionally managed organisation should be assessing risk and taking an informed and proportionate response. Security of Data is the number one concern for end users as was reiterated by the Cloud Industry Forum's research for the third year running, and as such clarity and transparency on security practices, accountability of parties (i.e. between the consumer and supplier), and, what constitutues best practice will all help ease fears and provide positive direction. Security in not an option, it is an essential component of an IT strategy regardless of deployment models, understanding and grading risk has to determine the commercial approach though.

Interesting article and an amazing number of responses suggesting different areas of security for consideration. If not covered elsewhere in the responses, I would add to these security demands the complexities of maintaining an accurate inventory of authorised and unauthorised software and devices, particularly in light of BYOD. Getting back to the basics – do organisations know what is connected to their network, or what is allowed to connect? As companies expand through M&A or outsource business services to third-parties, it becomes more and more important to get the simple things right. A recent @ScienceLogic deployment, for example, was able to discover a large number of devices accessing a corporate network, but whose role and location were uncertain. There may already be exhaustive data protection policies in place, but without knowing every device on your network, how secure can you really be?

@comparethecloud: Its all very positive, lots of exciting news to follow in the coming weeks, watch this space!

Good article James, it's only too true. I've seen many organisations in the last year who view security as a box ticking exercise without fully understanding the risks. From one perspective, it seems as if outsourcing is the magic answer. By using service providers that already have the badge, many customers assume that is the end of their responsibility. It's only when the are presented with the reality of the situation that there is a shift in attitude but even then sometimes that isn't enough. I see frequent internal battles between stakeholders on budgets, often in these cases, security is not necessarily an importance at design stage but an afterthought if there is budget remaining. Everyone has their part to play in this,from the top down be that organisations imposing compliance, service providers working in this space and end customers who are writing the cheques. There can be no assumptions made and no hiding place if things go wrong. Its essential that roles and responsibilities are defined at the inception of a project to avoid an even bigger headache in the event of an incident.

From Ian Moyes Eurocloud Board member A great discussion and to take part in more such as this why not take a look as a cloud provider at Eurocloud UK – EuroCloud is the forum for serious Cloud business across Europe with 1,100+ businesses taking part in monthly meetings. In the UK Eurocloud is seeking new members for 2012 to grow this community and is offering a special Summer membership offer now which can be reviewed at http://www.eurocloud.org.uk/Summer2012-Member-Offer Hope more of you will join up as its a very reasonable yearly membership with lots of great benefits to those taking part in the cloud!

My latest conversation: Digital Realty Fait L’Acquisition De Sentrum Portfolio A Londres

A great discussion and to take part in more such as this why not take a look as a cloud provider at Eurocloud UK - EuroCloud is the forum for serious Cloud business across Europe with 1,100+ businesses taking part in monthly meetings. In the UK Eurocloud is seeking new members for 2012 to grow this community and is offering a special Summer membership offer now which can be reviewed at http://www.eurocloud.org.uk/Summer2012-Member-Offer Hope more of you will join up as its a very reasonable yearly membership with lots of great benefits to those taking part in the cloud!

I still find it amazing that organisations are considering what is the minimum investment they can make in security. With the small insight into the amount of security breaches that I have, adopting the minimum protection can only be described as an insane risk. Would a manufacturing company not test its products for safety? Do companies not spend large on legal departments? Don't brand consultants charge a fortune to keep a brand in a positive light? With minimal legislation (the data protection act in the UK, plus the non-legally enforced PCI DSS for credit card data) organisations are left to make their own decisions about how much data security they put in place, but for now, many are choosing to skimp, putting their organisations at greater risk than if they spent less on the established areas such as marketing, R&D, legal etc. In my opinion, we will not have widespread adoption of adequate data security until there is a large scale security breach that brings in a Sarbanes-Oxley equivalent and changes company thinking at the top level.

Mikael, Great commentary. To your comment about peeking eyes comment, which is really valid, I would add ensuring that access controls and auditing capabilities are in place whether the solution reside on premise or hosted and managed by a cloud service provider. An entry level tech should not have permissions to delete or change anything at will, only the senior and most trusted employees should have those access rights. As a standard practice, we always ensure that the encryption keys remain in the hands of the client with an escrowed copy encrypted in the data vault.

Information Security or Data Protection to me is twofold: 1) Protection against failing systems - hardware and software failures leading to data loss or corrupted data. 2) Protection against peeking eyes - which could be divided into at least two groups of threats: a) External hackers (evil by definition). b) The cloud provider (and its (potentially evil) employees). Since cloud services are provided at very different service levels (I'm not talking about SLA here) - for example a CRM SaaS application is a high level service and an hosted IaaS virtual machine is low level - and as they are very different by design you may also want to treat them differently. For example, you may encrypt your data at your own premise before sending it to a backup/storage service - and you can be 100% sure to remedy no. 2 above (peeking eyes). You may also keep a local backup of your data and you can be quite sure to remedy any risk with the cloud provider failing to keep your data intact. This complete-control-approach is however not possible when it comes to high level services (SaaS) as they by design requires you to trust the provider to protect your data (against both loss and peeking eyes). And it might not even be practical to do it even for low level IaaS even though it's possible. I mean, why did you turn to a cloud provider to start with? Not to do all the work yourself, I’m sure. My view is that there is a battle between Convenience and Control - with Information about how information security is achieved working as a balancing force. Control is the defender and convenience is the aggressor, when (if) the convenience side wins the organization adopts the cloud service. In other words, corporations may accept some loss of Control if the service is Convenient enough (providing increased efficiency and lowered costs). The acceptance of lost control can be increased (or, the feeling of loss of control may be decreased or reversed) by providing Information about how the service the service is kept safe (design, policies, routines).

We at FireHost have built security in from the ground up and we are PCI DSS compliant as a service provider across all the 12 requirements of PCI DSS. We have a compliance package where you get all the information that allows you move your environment to a PCI DSS compliant environment within 24 hours. We offer PCI support so that you and your QSA can get around many of traditional headaches. We also comply to data sovereignty clauses so that if you choose to keep your data within the EU, it stays within the EU and not chopped/changed/dragged around in a fancy follow the sun tactic. We don't take a tailor/ bespoke approach, it's all there for you ready to go and the security of our infrastructure is what we do and protect on a 24/7 basis. This said, we can take a slice of the risk management process from our customers in the infrastructure environment but it's still and always will be the responsibility of the customer to secure their data at rest and in transmission...we at FireHost facilitate this process.

The common approach towards security is to merely think of Firewalls, VPN, remote access and patch/version management technologies - but this is only half of the story. Its no longer good enough to adopt the ‘moat and draw bridge’ approach, as many threats can come from within your organisation. Imtech ICT takes a vendor agnostic and comprehensive approach to its security philosophy. We ‘design in’ security, protecting existing IT environments with minimum disruption, inconvenience and expense. By taking a ‘step back’, Imtech can assess all aspects of the corporate infrastructure and devise robust solutions that cover Web applications and mobile devices through to virtualised environments. Imtech’s consultants understand a plethora of vendor platforms, legacy environments, operating systems and networking technologies, having acquired a unique set of integration skills which demonstrates a greater understanding of IT estates and what is needed to cost-effectively and reliably secure them.

From Terry Casey Founder Cogmento.ie The issue of security in the cloud is essentially the same issue as security for on premise systems. The only difference is where and how the platform has been implemented. Cloud users need to establish a proper governance framework for security management that includes first of all a risk assessment excercise backed up by an appropriate mitigation plan with actions taken as required. Regular reviews and re-assessment of risks with modified actions for further risk mitigation will ensure ongoing management. Essential to this process is the basic capability offered by a cloud vendor. This needs to be subjected to the above approach to ensure that adequate safeguards and systems are in place. Finally, its worth mentioning, that security requirements for an ecommerce company will be different for security requirements for a client just using cloud for storage. Context is important. At Cogmento (www.cogmento.ie) we assist business users in addressing these types of issues as part of their cloud migration strategy.

The issue of security in the cloud is essentially the same issue as security for on premise systems. The only difference is where and how the platform has been implemented. Cloud users need to establish a proper governance framework for security management that includes first of all a risk assessment excercise backed up by an appropriate mitigation plan with actions taken as required. Regular reviews and re-assessment of risks with modified actions for further risk mitigation will ensure ongoing management. Essential to this process is the basic capability offered by a cloud vendor. This needs to be subjected to the above approach to ensure that adequate safeguards and systems are in place. Finally, its worth mentioning, that security requirements for an ecommerce company will be different for security requirements for a client just using cloud for storage. Context is important. At Cogmento (www.cogmento.ie) we assist business users in addressing these types of issues as part of their cloud migration strategy.

A lot of really great comments and traffic to a great post in an important matter. First and this is important; I’m not an InfoSec expert, at the most I would call me novice. So my points are in humble respect to all InfoSec experts. And I apologize if I’ve missed comments similar to mine in the thread. But, I will give you my opinion from “my mind of view”. I make it a long one… Normally I use to say: Don’t worry about security in the cloud. It’s probably better than the one you have today in and around your on-prem solution. And if it’s better “at home” you either: - Have a specific business that needs to be top secure. Most probably you shouldn’t put this type of service into a public cloud. Maybe a private one. Or: - A specific CSP have a lousy security solution – a minimum solution! Or: - You have probably built a better solution than needed + your owner or the management isn’t informed or don’t understand the actual cost. CSP’s core business is to deliver services. If a CSP fail in security it’s a bad mistake and the CSP should, in my opinion, ask themselves why they are in the business at all; in the business to make easy money or truly deliver a good service to customers? The business is self-sanitizing but it’s bad for cloud business in general if credulous customers learn the hard way. By saying credulous I don’t mean sloppy. You should read T&C and benchmark but you should be able to trust the facts and results. On the other hand; CSP’s struggles with costs since customers demand more than they are willing to pay for (read my post about that customization isn’t the future on outsourcemagazine.co.uk). It might also be a problem when a customer asks for i.e. a SaaS where InfoSec isn’t a selection criterion and several CSP’s compete about the contract; why should the customer choose a more expensive service even if it’s better?! To me this is the biggest problem: Customers choosing the cheapest alternative even if they (know?) needed a better solution - the unaware CFO and CEO putting their businesses at risk because they didn’t understand, nor aren’t aware enough, just thinking about money in short term. To quote a colleague of mine: “When buying quality you only cry once.” For sure, as in all situations; attacks will happen where it hurts the most. So CSP’s will be more attacked and vulnerable than single on-prem solutions. Therefore, I still say; Security is probably better in the cloud than with a business functional on-prem solution – because the CSP will be “erased” from the market if it fails. Security shouldn’t be a defense wall only. The only way build “Fort Knox”-security is to use tons of money. Or you can erase all threats by dropping the Internet-connection, use rigorous controls when hiring and when the employees comes to work. But business is about taking risks, not stupid ones but some. You can’t afford “Fort Knox”, you can’t “afford” dropping Internet or setting up rigorous controls and you can’t afford incidents. You have to know threats and what risks you’re taking and try to minimize them, but most important; you have to know what to do if something fails or someone hurts your business. If you put the least acceptable level of effort (=minimum) to fulfill a certification, standard etc you as a customer jeopardize your business or as a CSP jeopardizing both your own and your customer’s business. If you know you’re doing minimum…reconsider if you should be in business at all. Unfortunately the customers are driving the “minimum”. Let’s hope maximized security bangs aren’t the way to wake customers up from security minimalistic dreams. Minimum is not ok – for me, you, he, she & it/IT, and none of us can afford a serious incident. Good q's are: What is maximum and what's "enough"?

Excellent article James, I could agree with you more. I would also add that general ignorance of even the most basic security practices are a major contributing factor to the high profile security breaches that we all read about in the newspapers. As you pointed out the focus for businesses today should be not on how much it costs to implement best practice in info security, but on how much the consequences of security breach would cost in fines and reputation etc... I would argue that when people in roles of responsibility are educated in the areas info security that are relevant to them, they tend to take more ownership and a more proactive approach to security as they cannot plead ignorant anymore and are well acquainted with what is at stake.

A major part of the problem, from my perspective in the data protection services space, is that most of large vendors out in the marketplace do not support true multi-tenancy as of yet. They all have MT on their development/acquisition roadmaps but this very important element of cloud data security is not receiving the proper amount of focus and attention because none of them want to draw attention to thier own shortcomings. Within the service and solution provider community, I have encountered very little dialogue that demonstrates any degree of understanding of the benefts, implications and risks around multi-tenancy in a shared resource service delivery environment.

Great article and really fascinating comments. Not sure if it’s been covered already by previous comments, however no one seems to have covered the physical security requirements within the data centre. Ranging from personnel checks through to dual/triple authentication, trip wires, double entry gates, delivery processes etc surely if these are not in place correctly, regardless of the software or other security measures there then the information is always at risk? Any thoughts? (Fenton, Source)

Information security (IS) is all about safe guarding data. in 2011, the cost of Cybercrime to UK business was £27B - that is only 10b short of the entire UK deficit. With 1/5 of all companies who should be PCI compliant not being, then we clearly have a problem. One strategy for many is a move to a private cloud. For many companies, the cloud can actually improve (IS) as it will effect a security upgrade - It not only forces the business to review and revise security from the ground up, but the move will also deliver increased access control and security to all IT resources. Your comment regarding cloud providers doing the bare minimum is something I don’t necessarily agree with. ASG’s data centre in Frankfurt is a platform to some of the most security conscious businesses in the world and if we were to only provide the “minimum” level of compliance and security then we would soon fall foul to an incident. Data security to cloud providers is what they do – it is their specialism. None of the providers i know only provide just minimum – and a word of advice to anyone considering a move to Public Cloud. Ensure you have very clear agreements over data access and a very clear exit strategy. In the event you become un happy with your provider it is imperative you have this in transparent form prior to any cloud migration.