If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Virtualization Magazine, Security Journal, Cloud Computing Newswire, F5 Networks, Security

Cloud Security: Blog Feed Post

Risk Is not a Synonym for “Lack of Security”

Security Risks Topped a Healthy List of Concerns in IDC’s Recent Cloud Survey.

surveyIDC recently conducted another cloud survey and [feign gasp of surprise here] security risks topped a healthy list of concerns that, according to the survey, outweighed cloud computing benefits.

While growing numbers of businesses understand the advantages of embracing cloud computing, they are more concerned about the risks involved, as a survey released at a cloud conference in Silicon Valley shows. Respondents showed greater concern about the risks associated with cloud computing surrounding security, availability and performance than support for the pluses of flexibility, scalability and lower cost, according to a survey conducted by the research firm IDC and presented at the Cloud Leadership Forum IDC hosted earlier this week in Santa Clara, Calif.


However, respondents gave more weight to their worries about cloud computing: 87 percent cited security concerns, 83.5 percent availability, 83 percent performance and 80 percent cited a lack of interoperability standards.

Network Computing IDC Survey: Risk In The Cloud

It would be parsimonious (but altogether commonplace) to assume that “security concerns” or “security risks” translate directly into a lack of security on the part of cloud providers. Ockham’s razor might not draw blood from such an assumption but it does lead to the dismissal of what are certainly legitimate concerns on the part of would-be cloud computing customers.

Risk is not a synonym for “lack of security.” Respondents to surveys asking about cloud computing adoption inhibitors are not necessarily concerned that cloud providers are lax in their implementations of security. Rather it is more likely that because cloud computing impacts the ability of organizations to quantify some of the risks and properly address those risks through processes and technology that it becomes problematic to justify the benefits despite the risk because the latter is unknown.



Risk is about the unknown, about the possibility, the potential for a negative outcome. There is for every organization what is considered an acceptable image level of risk and then there’s, well, an unacceptable level of risk. Generally speaking in order to determine whether some initiative or strategy falls under the organization’s acceptable level of risk the risks must somehow be measurable in terms of impact as well as probability of occurrence.

This is easy to do with availability. Loss of revenue or customers can be quantified based on the last outage, so you have a quantifiable monetary risk. Historical uptime of a cloud provider is becoming easier to find at this point, so the probability of a cloud computing environment’s outage can be calculated. Even security risks can be quantified using industry data (Ponemon’s annual study often helps here) and the probability of attack can be determined in a number of ways, including academic research.

Now, to understand why survey respondents continue to cite “security” as the primary reason they are hesitant to “go cloud” consider what cloud computing today does to an organization’s ability to address security risks through technology, and then examine how deployment in a cloud computing environment impacts the ability to quantify risk and its potential negative outcome.

  1. Today’s cloud computing environments are not conducive to the deployment of a holistic security strategy implementation. Remember the corollary to Hoff’s law: If your security practices don’t suck in the physical realm, you’ll be concerned by the inability to continue that practice when you move to cloud. web application firewall? Nope. Application-specific firewall rules? Nope. Data leak prevent solutions? Not in the cloud. IDS? IPS? No and no. The cloud today offers compute on-demand and that means that you can only deploy a solution that can be packaged in such a way as to take advantage of that compute power. There are almost no “infrastructure” services available in cloud computing environments aside from load balancing. Organizations are currently handcuffed by a lack of security solutions available for cloud-based deployment. The risk incurred, then, is that the information security practices being leveraged internally will be severely limited and disrupted by a cloud computing deployment. If an organization would not be comfortable running its applications without its security-focused infrastructure solutions, it is unlikely to be comfortable moving to the cloud. 
  2. Cloud computing environments introduce new variables of unknown, unquantifiable risk with regards to security. Specifically virtualization technology and cloud computing management frameworks. The former is perhaps the most visible, though the latter should rank higher on the risk scale than it likely does today. While there have been put forth several theoretical exploits of virtualization, to date there has been no “jail break” from a hypervisor in an off-premise cloud computing environment (at least none we are aware of). But the possibility of just such an event and the potential outcome may be more risk than a customer is willing to bear. Just because there are very few known vulnerabilities in and exploits of hypervisor technology and above that, cloud management frameworks (their APIs), does not mean they won’t become known. And once they are, they will be exploited. No one has hijacked a cloud API yet, either, but again – the possibility of that event and the negativity associated with that outcome (imagine an attacker having complete control over your cloud computing deployment) may simply be too much risk for some organizations to shoulder.

It isn’t necessarily the case that citing “security risk” means customers think cloud computing providers are lax or inattentive to security concerns. It may simply be the case that they are well-aware that there are known and unknown security risks associated with new technology that have not yet been addressed to their satisfaction and because as an organization they are highly sensitive to risk they just cannot justify taking unknown and unquantifiable risks with their (and their customers’) data and information. The organizational processes and solutions put in place to address those risks in a typical localized data center deployment are not necessarily available for deployment in a public cloud computing environment, which means the risks must be borne by the organization – and its customers – when using public cloud computing. Some organizations may find that burden too high for them and their customers.

I’m more than okay with that because the potential cost to me if there’s a loss of data is much higher than the savings for the organization from a couple pieces of a hardware.


Hat tip to : @ianrae @mortman @mfratto for the conversation and to @scottsanchez for the original article that sparked the conversation

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.