Security...What Security?

Yesterday I attended the Cloud Connect Conference in Santa Clara.  I enjoyed the keynote speakers and the breakout sessions covering various aspects of the Cloud frontier and the implications of working with new and older companies and with dealing with data that is stored off-site in the Cloud.

What does all of this mean for us?  Early adopters are of course, already there, storing data, sharing documents and collaborating in the cloud.  However there are some companies that are still entrenched in having a large IT department on site and in using data and software that is tethered to their intranet  and desktop computers.  The main take-away on Cloud Computing is that we are already in the Cloud and that the companies that are still entrenched in their own systems will need to migrate to the Cloud in order to be able to work anywhere and anytime.

This brings me to the issue of security.

I attended a fascinating session on "The Future of Cloud Security:  Panel Discussion About Security the Cloud Ecosystem - Sponsored by McAfee".
Members of the panel were:

Moderator - Charles Var, Director, McAfee

Speaker - Ronald Knode, Director, Global Security Services, CSC

Speaker - Shahed Latif, Partner, KPMG LLP

Speaker - Niall Browne, CISO & VP Information Security, LiveOps

Speaker - Scott Chasin, CTO, McAfee Software-as-a-Service

It seems that everyone is trying to make the Cloud more secure so that data, usernames, passwords, documents are safe and so that users will have trust in the system. There are standards for the Enterprise right now (SaaS compliant, etc), but there aren't the same standards yet for the Cloud.  The panelists said that we will see more standards set and companies boasting of having such and such compliance standard.

This brings me to 'Security...What Security?'

The problem that I see is that we will never be 100% secure in the Cloud, because we can't even be 100% secure when not in the Cloud.  There are so many inter-dependencies of companies that are collaborating with each other that if one part of the chain is not 'secure' then other members of the chain can potentially be compromised.

The latest hacking episode that surfaced that involved China hacking into Google, Yahoo and other companies turned out to be related to a program that is widely used for software development called, Perforce.  Who knew?  Everyone assumed that Perforce was secure, but it turned out to be the weak link in the chain.  Even if each company possibly had a certification for security, any new build or release from the company after the certification happened, could again compromise everyone.  Just look at all of the security patches that Microsoft has released and you will soon see that there are holes everywhere that we try to patch and fix, but during the time of identifying the problem and patching it, there is potential for a security breach.

So, what do we conclude from this?  We are not going to hold back the Cloud.  It is here, and it is the future.  We need to rely on security firms to find and identify security holes and then quickly release patches and then we move on.

Computer security is just like any other type of security.  We are mostly secure but never 100%.  Best advice...don't make yourself crazy about it.  That's just the way it is.