At the AWS Enterprise Security Summit in London on November 8th, Stephen Schmidt, CISO at AWS gave a keynote entitled “Democratized Security”.  What is Democratized Security and does it really exist? 

Well, to quote Humpty Dumpty from the book Alice in Wonderland “When I use a word it means just what I choose it to mean—neither more nor less."  So, what Mr. Schmidt meant by this phrase may or may not be what other people would understand it to mean.  This is my interpretation.

The word democracy originates in ancient Greece and where it meant the rule of the common people.  It described the opposite of the rule by an elite.  More recently, the “democratization of technology” has come to mean the process whereby sophisticated technology becomes accessible to more and more people.  In the 1990s, Andrew Feenberg described a theory for democratizing technological design. He argued for what he calls “democratic rationalization” where participants intervene in the technological design process to shape it toward their own ends.

How does this relate to cloud services?  Cloud services are easily accessible to a wide range of customers from individual consumers to large organizations.  These services survive and prosper by providing the functionality that their customers value at a price that is driven down by their scale.  Intense competition means that they need to be very responsive to their customers’ demands.  Cloud computing has made extremely powerful IT services available at an incredibly low cost in comparison with the traditional model, where the user had to invest in the infrastructure, the software and the knowledge before they could event start.

What about security? There have been many reports of cyber-attacks, data breaches and legal government data intercepts impacting on some consumer cloud services (not AWS).  The fact that many of these services still survive seems to indicate that individual consumers are not overly concerned.   Organizations however have a different perspective – they do care about security and compliance.  They are subject to a wide range of laws and regulations that define how and where data can be processed with significant penalties for failure.  Providers of cloud services that are aimed at organizations have a very strong incentive to provide the security and compliance that this market demands.

Has the security elite been eliminated?  The global nature of the internet and cyber-crime has made it extremely difficult for the normal guardians – the government and the law – to provide protection.  Even worse, the attempts by governments to use data interception to meet the challenges of global crime and terrorism have made them suspects.  The complexity of the technical challenges around cyber-threats make it impractical for all but the largest organizations to build and operate their own cyber-defences.  However, the cloud service provider has the necessary scale to afford this.  So, the cloud service providers can be thought of as representing a new security elite – albeit one that is subject to the market demands for the security of their services.

With democracy comes responsibility.  In relation to security this means that the cloud customer must take care of the aspects under their control.  Many, but not all, of the previously mentioned consumer data breaches involved factors under the customers’ control, like weak passwords.  For organizations using cloud services the customer must understand the sensitivity of their data and ensure that it is appropriately processed and protected.  This means taking a good governance approach to assure that the cloud services used meet these requirements.

Cloud services now provide a wide range of individuals and organizations with access to IT technology and services that were previously beyond their reach.  While the main driving force behind cloud services has been their functionality; security and compliance are now top of the agenda for organizational customers.  The cloud can be said to be democratizing security because organizations will only choose those services that meet their requirements in this area.  In this world, the cloud service providers have become the security elite through their scale, knowledge and control.  The cloud customer can choose which provider to use based on their trust in this provider to deliver what they need.

For more information see KuppingerCole’s research in this area: Reports - Cloud Security.