Which is safer: Storing data in the cloud or keeping it ensconced on-premise?
Security experts from Microsoft, Google and other cloud vendors delved into this hotly debated issue during a panel discussion Wednesday at the RSA 2014 conference in San Francisco. The vendors agreed that getting customers to store data in the cloud is a matter of building trust, but they had different views on how to achieve this.
While many organizations are using public cloud to test and develop software, a much smaller number are storing data there. In some cases they're missing out because cloud storage can be less expensive than storing data on-premise. Yet there are certain types of sensitive data that probably should never be stored in the public cloud, panelists agreed.
The good news, according to Eran Feigenbaum, director of security for Google Apps, is that the cloud is now secure enough where enterprises can use it for storing data without feeling like they're taking a risk.
Cloud infrastructure from major cloud providers is "probably more safe and secure" than what their customers are running in their own data centers, Feigenbaum said.
"It used to be that no one got fired for buying IBM or Microsoft. That's where we are today in the cloud," Feigenbaum said. "It's the cloud provider's responsibility to convince you that what they're doing is safe and secure."
Considering that Google is a cloud vendor, this sounded a bit self-serving. But Bruce Schneier, a well-known cryptographer and CTO of Co3 Systems, a Cambridge, Mass.-based security vendor, agreed with Feigenbaum's premise.
"When we outsource infrastructure, we do it because when we consolidate expertise you get better results. You don't run your own airline or do your own taxes. There is enormous value in having an entity that is in charge of that," Schneier said.
Since security is a big part of the business of being a cloud service provider, "they're going to do a better job," added Schneier.
Cloud Vendors Suggest Using Certificates Of Security
The panelists suggested that cloud providers give customers some sort of certificate showing that their cloud has met legal requirements for securing data.
"There will be some document Google will hand me that says, 'This is our audit; staple it to your audit,' " Schneier said. In addition to recourse in liability situations, "this gives me as a [cloud] customer some ability to trust what's in front of me," said Schneier.
Feigenbaum said that in addition to a certificate, vendors should make clear what security and privacy commitments, both contractually and technically, customers are going to get from using their cloud.
He likened the situation to when credit cards came into existence and people didn't feel confident in using them until their liability was clearly spelled out. "What's the equivalent of that in the cloud? What commitment will a vendor make to me?" Feigenbaum said.
One scenario where storing data in the cloud gets tricky is when law enforcement seizes a vendor's servers as part of an investigation. Feigenbaum said Google "very frequently" pushes back when this happens to make sure the request is justified. When possible, it also notifies the customer of the investigation, he said.
While this hasn't happened to Microsoft, Bret Arsenault, chief information security officer at Microsoft, said the software giant would also fight such a request. "There are technical ways you could solve some of these things, like the customer having their own key that would let them respond to bulk data requests," he said.
PUBLISHED FEB. 26, 2014