Here comes the bus

19May10

I want to get feedback from folks on this, so comment away.  Over the past six months I have been working with companies going over pro’s and con’s of moving their most critical service(s) off to the “cloud”.  I’m not going to get into the upside and downside here, because it is different for every service and every company.  A concern that has come up with the security folks involved is focused around their reputation and credibility.

One side of the argument is that their reputation is on the line regardless of where the data lives.  They are responsible whether it lives in-house or not.  With that line of thinking they are much more comfortable keeping the data in-house where they can monitor and manage it and everything around it.  Moving their data off to a Google Apps account for example, where they are limited in what they can implement for security policy and monitoring is next to nothing makes them very anxious.  They do not want their credibility as a security professional riding on Google.

The alternate argument is that by having the data in-house there are unrealistic expectations put on their ability to keep the data safe.  Nothing is 100% secure and therefore it is just a matter of time until it gets breached at which point they will lose a lot of credibility.  Moving it offsite, lets pick on Google again, seems like a great idea because if there is a breach they can stand back and say “Not my fault” because securing that data is no longer their responsibility.  The obvious thought there is that they can not be blamed for someone else’s mistake or lack of control.

Camp1 thinks that they are getting thrown under the bus the first time Google has a breach.  Camp2 thinks they will be driving the bus over Google when the SHTF.

I’ll save my thoughts on this until after people comment.  What do you think?

–DanO

Advertisements


4 Responses to “Here comes the bus”

  1. In the end, most customers will end up having the same feeling regardless who is at fault: CompanyA had a security incident and lost my shit. Customers, execs, middle managers, and on down will always end up with the same pressure to make change, regardless of the real cause. It happens in things outside security, like suppliers and vendors. If a vendor screws up, giving the supplier a black mark in the eye of their customer, their customer very likely will find some other supplier. Even if they didn’t want to, they’re being asked for action from their boss, and so on, and they don’t want to be bit again by the same supplier.

    I’d agree with the first group. If you have the technical clout to properly manage it, you’re better off keeping it closer where you can manage it. If something breaks at Google, you could have brilliant people at your company, but they can only sit on their hands and wait for Google to act.

    IMO, no one should be thinking about the cloud unless they truly have a reason to do it. If you already have the technical chops in development and other facets of the infrastructure and equipment and talent, then you’re not going to gain anything by going cloud. Much like contracting out some of your websites to third-party hosting when you have an entire infrastructure hosting websites already.

    Unless you plan to do some downsizing…of course…

    Besides, unless CompanyA can actually recoup losses, it doesn’t matter whether you can point at someone else for the fault. If CompanyA can’t sue the cloud provider through contracts/clauses/loopholes/whatever, then you’re screwed either way. (Of course, internally, you often can’t sue your incompetent staff, just fire them.)

  2. 2 JC

    Any security professional who thinks they can just point the finger when something happens to the data they are hired to protect is sorely mistaken. I don’t care if it is on premise or off premise, it is all coming back onto your lap and will be your fault.

    It sucks but not sure you can do anything about it.

  3. 3 Rmogull

    Loner has it right…

    You can outsource control, but you can never outsource the accountability. But I agree there is a sizable minority of people who feel they can get away with it.

  4. 4 Dan

    We all feel the same on this one. Thanks for the comments guys.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: