f5 devCentral's Lori MacVittie posted "There Is No Such Thing as Cloud Security" this morning, saying "cloud security" is a vague hand-wave term. If you want to talk about security, you have to also say what it is you mean by that term. Then you can address it.
“Cloud security” is so vague as a descriptor that it has, at this point, no meaning.
Do you mean the security of the cloud management APIs? The security of the cloud infrastructure? Or the security of your applications when deployed in the cloud? Or maybe you mean the security of your data accessed by applications when deployed in the cloud? What “security” is it that’s cause for concern? And in what cloud environment?
See, “cloud security” doesn’t really exist any more than there are really trolls under bridges that eat little children.
An interesting quote:
The invocation of the term “cloud security” as a means to justify avoiding public cloud computing is equivalent to a cloudwin. Invoking the argument that “cloud security is missing” or “lax” or “a real concern” adds nothing to the conversation because the term itself means nothing without context, and even with context it still needs further exploration before one can get down to any kind of real discussion of value.
Securing a network is different than securing an application is different from securing a network in the data center than it is securing a network in the “cloud”.
We need to stop asking survey and research questions about “cloud security” and start breaking it down into at least the three core security demesnes: application, data, platform, and network. It’s fine to distinguish “application security” from “IaaS-deployed application security”. In fact we need to make that distinction because securing an application that is deployed in an IaaS environment is more challenging than security an application deployed in a traditional data center environment. Not because there is necessarily a difference in the technology and solutions leveraged, but because the architecture and thus topology are different and create challenges that must be addressed.
With all these PaaS, SaaS, IaaS, NaaS, OaaS, JaaS, and every other *aaS out there, it's easy first off for someone to say "security is a problem". Of course it is. Security's always a problem; that's why people get it wrong so often.
Second, it's easy for people to use security as a reason not to use a public cloud, because they think the public cloud means their private data is going to be exposed. It can be, I guess, but that's why you think about security in the first place.
But vendors haven't done a really good job of explaining how security works for the public people; maybe the insiders all know how it works and they trust it, but I don't know why I should trust the security measures in place, because they're not highlighted in ways I understand.
Can the cloud vendor people explain security for us so we can all learn to avoid these stupid vague terms?