I never tire of hearing this silly statement. With new trends come new unknowns, and the cloud is no difference.
Lets look at some facts. The word Cloud is used to mean so many things, and for most people it boils down to outsourced services.
Of course, Google, Amazon, Microsoft, all invest a significant amount in security. So generally speaking, your Gmail account is well accompanied as far as security. And your Gmail service.... is a cloud service.
This is where the similarity often stops, yet decision takers do not realise that most enterprises invest very little in security.
So subscribing to a fancy looking web based service, that is Cloud based, sounds like a great idea, especially if you believe that they invest vast amounts of human and technology resources on security.
The security investment that most cloud based web companies invests is minimal and sometimes non existent.
These companies will brag that they have the best developers (they don't), that they do continuous security testing throughout the life cycle of their software (they don't) and that they do full and complete application security tests and intrusion testing (which they don't).
Chances are, they mandated someone to perform "a" security test, and the investment was academic. The result was a report that is titled "Intrusion Test" or "Web Application Test". No one looks at the details like what was tested, how much time was invested in the testing, and what was not tested that should be tested at some point (out of scope for this iteration....). Where the tests and their scope in-line with the security requirements and risks associated with the application. In other terms: Was it reasonable or simply done to be able to say it was done.
From experience, everyone brags about how great they are, and like every first date it all sounds great, but around the 10th date, you start having doubts, and when you start asking the hard questions, the answers, or lack of answers speak for themselves.
Here are some questions that will separate the great service providers from the weak and worthless ones. Keep in mind that any resistance to entertain these questions spells big trouble:
1a) Are security tests performed at various stages of the life cycle of your systems (List each type of test) ?
1b) From the above list, how many times have each test been performed in the last 12 months ?
2a) How often is a complete security test performed across the entire eco-system by an independent third party?
2b) What is the total cost of each of these testing iterations ?
3) Are there some tests that are performed monthly to ensure that the systems remain secure throughout the year ?
4) What is out of scope for your security tests (if you have no list of items that are out of scope, then your not truly doing security testing) ?
5) Has the architecture been reviewed by a qualified independent security architect ?
6) Do the independent partners that validate your security have any ties to the corporation or it's administrators, or any other relationships that might be interpreted as a conflict of interest ?
7) Has everyone who has access to production systems received security training and obtained a security certification ?
8) Are security tests performed on production systems ?
9) Do you have a bug / security findings bounty program ?
10a) When was your last significant security finding (hint: everyone has some)?
10b) How long did it take your team to resolve the issue ?
11a) When was your last security breach (hint: everyone has had some) ?
11b) How long did it take your security team to resolve the issue ?
12) Do you report to your clients, significant security findings AND security breaches that are reported to you or discovered by you ?
Now I can already hear someone complaining that the software as a service that they offer in a Cloud setting is awesome and that they do take security seriously and do a good job.
My point isn't that everyone stinks, my point, like doctor Gregory House would say, is that everybody lies. When you lie to your clients, even little white lies, you first lie to yourself.
The answers to the questions above do not need to be YES in all cases. There is a lot of points to earn for honesty and adequate risk management. Hiding the truth from your clients translates into clients who believe that no risk is present.
This means short term vision. This blog isn't about short term visions. It's about being a visionary, it's about maturity.
If you blindly believe your secure, and that your data and services are secure in the cloud, knowing that nothing can be truly secure anywhere, then that means you voluntarily wish to omit risk knowledge and risk management, and that is simply immature.
Mature enterprises and mature managers would KNOW they are reasonably secure, and they would KNOW their weak spots.
