There are so many myths out there about Cloud Security - time to start putting them away...
- The cloud is inherently insecure. No, not really. There are providers which deliver a high level of security. The cloud can be more secure than internal IT, given that services are frequently operated very professional.
- The cloud is more secure than the internal IT. No, as well not. The cloud is neither secure or insecure. It is about the single service which might be more or less secure. And it always depends on with what you compare, e.g. how strong security in the existing internal environment really is. Thus, it is important to define security requirements in service descriptions and SLAs and to measure security.
- Cloud Security issues are new. No, most of them are not. They are the same like in outsourcing or the tactical use of external services we are doing for years right now. The difference is that there are much more services to deal with - which is an opportunity to handle security in a standardized way and improve it beyond the typical ad-hoc approaches of the past.
- Security is the task of the Cloud Service Provider. Yes and no. Service providers have to provide a high level of security and they have to inform about. But you can't just rely on them. You're always the one who defines his security requirements and is responsible for their fulfillment - by chosing appropriate service providers.
- We can't do things outside of the EU. A myth. There are some legal aspects around operations on privacy-related data which have to be observed. But overall it's not about that things can't be done but more about a big grey area of uncertainty.
- SAML solves the IAM issues in the cloud. No, definitely not true. SAML is the first little step towards the target of externalized security of cloud services. But that's only about the separation of administration and authentication. The much more interesting topic of authorization (XACML and other standards) has to be solved as well. And few cloud service providers support XACML today. Few support own proprietary web services as an alternative. Not to speak of auditing interfaces...
- Security in the cloud can't be measured. Somewhat true - in the sense of: Most providers don't support risk metrics, a detailed auditing and so on. But theoretically not true, because these interfaces can (and should) be provided.
And for sure at Cloud 2010, parallel to EIC 2010.