CEO Perspectives 3: Reconsidering Security

When the subject of cloud computing comes up, one question seems to always be lurking in the backs of our minds: Is it secure?  This is particularly true for real-time systems.  Indeed, many engineers are reluctant to share their data even with their own company’s IT department, much less put it on the cloud.  Yet pressure from management, associates, and customers to access data from real-time systems is causing more and more companies to consider cloud-based solutions.  When they take a serious look, they may find themselves reconsidering security—and their assumptions about it.

The inescapable fact of computers is that there will always be security threats.  Andrew McAfee put it this way: “The only way to have 100% computer security is to have zero computers.”  All systems, cloud-based or not, need to implement security.  What’s different about a cloud-based system?

When you think of cloud computing, think aggregation.  Cloud companies bring together many customers to provide top-quality software and services at very competitive prices.  The successful ones also provide top-quality security, because the size of their customer base makes them good targets for hackers.  To fend off attacks and protect their business, cloud companies thus need to expend more effort on security than most other companies.  They need to hire the best security experts, and maintain a higher standard of vigilance than a typical factory or water treatment plant.

A recent blog on CloudTech by ZapThink  mentions these factors in a comparison of public and private clouds.  They point out several ways that a private cloud, which tends to be more do-it-yourself in terms of security, can actually be less secure than a public cloud.  Factors such as infrequent hardware updates, less stringent testing, variable staff capabilities, and a lack of awareness of security risks even within firewalls all contribute to the possibility of less-than-optimal levels of security on home-grown systems.

In addition to external threats of malicious hackers, there is also the question of internal security.  You may have analysts in the head office, technicians out at a remote site, and operators on a production line all accessing the system, but different parts of it.  Different groups need to be identified, and individual authentication capabilities built into the security model on that basis.  The article “What Every CEO Needs to Know About the Cloud” states that because cloud computing was originally developed for individuals or peer groups rather than corporate systems, this has been a weak point for some cloud providers.  Vendors are aware of this issue, and most are expecting to provide administrative security functionality in their systems fairly soon.

The lesson here for anyone considering putting real-time data on the cloud is that there is no need to throw out the baby with the bathwater, citing lack of security.  For external threats, cloud systems may actually offer more protection than an in-house system.  These threats can be mitigated further by ensuring that all firewalls stay closed, and that there is a one-way flow of data to the cloud.  For internal confidentiality, any envisioned cloud system should be able to provide authentication and authorization as well as a traditional platform.  If there is as yet limited choice for such a system, more will become available soon.  Demand for cloud computing continues to grow.