A real gap has appeared between how Cloud vendors and their customers perceive security. In a recent survey, that 69% of vendors believe security is primarily a cloud customer responsibility, but only 35 percent of them believe security is their responsibility only. Just 16 percent of cloud providers feel security is a shared responsibility, compared to 33 percent of cloud users.
Although security has repeatedly been highlighted as one of the key concerns with Cloud Computing, only 20 percent of cloud vendors see security as a competitive advantage, and fewer than 27 percent feel their cloud services can protect and secure customer information.
Why is there such a gap?
Technology maturity might be part of the picture, but after watching Bruce Schneier’s TED talk, The security mirage, it strikes me that something much more fundamental is at play here.
In the talk, Bruce introduces three elements to explain the concept of security (illustrated above). He defines the real security (risk) as a trade-off between our willingness to invest effort and resources to mitigate the risk (e.g., buying insurance or avoid people with the flu) versus the perceived likelihood of the bad stuff occurring. In other words, our assessment approach is primarily an emotional one according to Schneider.
And while our emotional security assessments are generally well aligned with the real risk (we happily live in houses full of electricity), we do need two things: 1) Ability to visualise the risk, and 2) familiarity with the event occurring. For example, we need the model of bacteria to rationalise the risk of flu infections, while the media coverage of the swine flu distorted our familiarity with a particular flu strain.
The problem for Cloud customers is that cloud security is hard to visualise and the general familiarity remain low or distorted by the media coverage of events such the recent security breaches at Sony. Customer’s feeling is probably not a good perception of the actual cloud security. Similarly, because cloud vendors work with their technology everyday, they are familiar with the risks and are able to visualise them with relative ease (in comparison with their customers). They have developed a model of how to rationalise the security risk and therefore make better predictions.
However, if cloud vendors don’t (as the survey indicates) see security as a shared responsibility – and maybe just as a matter of ‘turning on the various encryption features’, then they are likely to fail to help their customers develop appropriate models of cloud security – and cloud security is too complex to leave it to our feelings. This could result in either customers not signing up because they are ‘too scared’ (not willing to go into a house full of electricity) or they sign up unaware of the risk they have taken (e.g., refitting a power adapter while the electricity is on).
Corporate technology customers already have models of security covering areas such as trust, governance, policies, audits, training, reporting, certification and (some) technology – so the effort on the cloud vendors part should ‘only’ be a matter of adjusting existing models to the new Cloud environment than starting from scratch – but if they don’t engage with their (potential) customers, security will remain as one of the main obstacles to cloud adoption – simply because customers cannot be sure that their security trade-offs strategy align with the Cloud vendor strategy. And just turning encryption on does not address the problem…
http://www.darkreading.com/cloud-security/167901092/security/security-management/229402544/users-service-providers-at-odds-over-cloud-security-study-says.html or http://www.infosecurity-us.com/view/17688/security-is-left-behind-in-rush-to-cloud-survey-finds/
Concerns about ability to lock down the hypervisor: