Cloud Computing is not safe!! This statement has become so common that people don’t even rationalize before stating this! I remember my ex-boss who in a meeting threw this statement on my face while I was recommending to port few of our services to cloud to enhance the performance.
And on asking why does he thing so. His response was the funniest I could have ever get! “I cant tell you the reason but I everyone says this so must be true” .
Not just that, I was just reading an article published on a renowned Indian IT Magazine for which I used to write till sometime back. There the author has compared the cloud storage security with handing a parcel to a postal boy.
Guys! Wake up. Cloud is far more secure than you think. Though I am also from the lot which believes the only secure system is an unconnected system turned off and kept in a high security locker. But when it comes it cloud computing. Indeed it is far more secure than many midsized DCs and Co-Located DCs running in the continent today.
And securing the cloud is even easier than securing your DC. Now lets see why.
The key reason is that the cloud service providers (and I am talking about the biggies like Amazon) has spent a lot of effort to get all security certifications and validations which would have cost a datacenter a lot of hazel, time and money. And they are extending this to their customer in no extra cost.
So to understand it in simpler terms, if your entire infrastructure is hosted on Amazon, and you are planning to get ISO27001, FISMA, ISAW, HIPA or PCIDSS compliance for that matter, you suddenly find that your infrastructure is already compatible and all you need to do is it concentrate on your application. This is because Amazon infrastructure is already audited and certified for all these accreditations and many more. And a simple statement from Amazon can make your Security Auditor shut-up.
And for instance, you don’t even need such certifications and validations for your business. Still by paying the same money you get the luxury to run your existing setup on a ISO27001, PCIDSS, etc certified infrastructure.
Now compare it with a Co-Located DC where if you have to get a security certification done, you actually have to arrange a visit of your security auditor to that IDC and get it evaluated. So in such a case you are actually becoming liable for the physical security flaws (if any), which exist at the service provider’s side. Though there are many good IDCs today which has at least ISO27001 certification done. Its rare to see IDCs having niche certifications like PCIDSS done which is gradually becoming a de-facto for e-com websites, or for that matter HIPPA which is a mandate for many Hospitals.
So, if you ask me, I would always say that whatever infrastructure you use. Be it your own DC, a co-located IDC or cloud. The security of it depends on you and only you. Coz you have to harden it wherever it is. But in case of cloud infrastructure, you actually get a lot of security precooked following the best practices book, which actually saves a lot of hazel for you.
And stop saying Cloud is not secure. Or at least till the time you see this video http://youtu.be/AnxrJiS5uKU [Pun intended]
P.S: find the list of accreditations and certifications which AWS has today: http://aws.amazon.com/security/#certifications