All the industry big boys seem to be floating on cloud nine with product releases and training geared toward the new era in cloud computing. So as reluctant as many IT pros are in getting involved in the conversation at all, the real discussion needs to shift toward –
Who is securing all the fluff?
Cisco’s recent blunder certainly doesn’t inspire much faith.
In case you hadn’t heard, Cisco Systems Inc. rolled out a firmware update last week which connected customers’ Linksys Wi-Fi routers to its cloud service and required them to sign up for the service to manage their routers.
You can imagine how perturbed IT pros were when after further review found that the Connect Cloud service could collect their personal data. Cisco’s original terms of service for Connect Cloud stated that the vendor will keep track of their personal information such as network traffic, Internet history, and details of how they use the service.
Trust is fragile to begin with and must be earned. Using opt-out techniques rather than opt-in is a bit of trickery. It may not have been deliberate (we won’t ever really know), but omission is a form of a lie nonetheless and a breach of trust in my book.
Cisco has since apologized and clarified that it only retains information that is necessary to sign up for and support the cloud service. Cisco said it will not push software updates to customers’ Linksys routers when the auto-update setting is turned off and will update their terms of service and related documentation.
Some will be more forgiving than others. But one thing is for sure, cloud service providers should take note that users do value their data and privacy.
Users also need to beware.
The National Institute for Standards and Technology (NIST) published some additional guidelines for cloud computing security that would appear to put the onus for security in the cloud clearly on the end user. Though the NIST guidelines are theoretically true, by no means should IT organizations interpret this as absolving cloud service providers of any security responsibility. Most cloud computing services don’t provide the user any control over the internal IT infrastructure being managed by the cloud service provider. So end users really have no way of making sure the virtual machine environment is secure, or the cloud provider has put the proper controls in place to make sure a customer’s service has not been compromised by an insider threat.
However not all levels of security in the cloud are created equal.
Some providers leave it up to the customer to buy and deploy the technology required and others charge a premium to manage security on the customer’s behalf. Unfortunately when it comes to cloud computing service providers and the security controls they have in place, the visibility is as clear as looking through a cloud…..kinda ironic isn’t it? I suppose blind faith is what they expect.
These are just a couple of examples of how when it comes to cloud computing and service providers, users need to be cautious of every aspect including the ‘terms and conditions’ that contain items that could be intrusive if misused.
In the meantime there is some good information on TechNet about keeping track of security and areas of concern regarding cloud computing.