Why do we ask: “Is the cloud secure?”

There have been several debates on the twittersphere of late, OK these have been raging over several months, discussing how secure or insecure cloud computing is. Generally this is focused on Public clouds and comments have ranged from the surreal, or down right ridiculous , to the sublime. so I decided to pause a little and gather my thoughts.

What I find amusing is that a lot of these comments I’ve seen are from providers, some vendors. I don’t understand painting everyone with the same brush because cloud computing is still a relatively new[1] industry offering and providers are still defining and re-defining their niche. Everyone sets up their product a little differently and aims to please certain markets.

The question:

How secure is the Cloud, or Cloud computing? Well that depends,  you need to know what your requirements are. I wrote about this some time ago talking about collaboration tools, and I even alluded to the same considerations being applicable to the cloud model at the time. Essentially: Know what you are after (requirements), understand the risks of going down a certain path, and mitigate those risks.

The counter argument:

“How do I know that the IaaS/PaaS/SaaS provider is doing what they say they are in order to confirm to my requirements?”. That, in itself, has been another heavily debated discussion. Current practice is to bombard the service provide with documentation requests. This is great if it is a contractually obliged deliverable. Providers are overwhelmed with request from customers, or potential customers, asking about SAS70 auditsISO27001 compliance, PCI DSS compliance, and the list goes on.

An answer:

Unfortunately there isn’t an easy way to audit the assertions made by the provider you are using. Watch this space!

There are a number of groups that have formed to discuss a whole raft of cloud security, and interoperability, standards, detailing everything from how to handle data to how to provision a whole virtual machine. There is a lot of great work out there [2]:

  • Cloud Security Alliance (CSA) – http://www.cloudsecurityalliance.org/
  • Open Cloud Computing Interface (OCCI) – http://www.occi-wg.org/
  • Distributed Management Task Force (DMTF) – http://www.dmtf.org/
  • Storage Network Industry Association (SNIA) – http://www.snia.org/
  • Cloud Audit – http://www.cloudaudit.org
  • Cloud Computing Interoperability Forum (CCIF) – http://www.cloudforum.org/
  • MashSSL alliance – http://mashssl.org/

I have been fortunate to be able to get in on the ground floor and watch the growth of the A6 (Automated Audit, Assertion, Assessment, and Assurance API) working group into that of the CloudAudit group. Whilst I am not privileged to be part of the core working team at this stage, having the ability to watch and contribute to this emerging focus group is awesome. The CloudAudit framework is genius in it’s simplicity and looks to provide you with details from audit and regulatory compliance reports to confirmation that processes, like backups, have taken place.


There is no straight answer to “is the cloud secure?” as some provider solution’s won’t be, where as other provider solution’s will offer you a degree of comfort. Understand how your security requirements. Evaluate their offerings against your policies. Negotiate with them, in advance, what it is that they will deliver in order to keep you from sleepless nights. Finally, keep an eye on the standards and be ready to take advantage of them.

1. Yes, yes the concept is old but the large scale commercial offerings are years, not decades, old

2. There are a lot more groups out there standardising security. These are only the subset that I’ve taken and interest in myself.