Want a More Useful Answer about Cloud? Ask a Better Question.

The thermostat in a room reads 65 degrees. Is the room hot or cold?

I think that’s the wrong question to ask. The right question is, “Do you feel hot or cold?” Only you can determine how 65 degrees feels to you. You can control some of the factors that make you feel a certain way, like what clothes you wear, but you can’t control all of the factors, such as the amount of moisture in the room, the movement of air through the space, and so on.

The point is that you can PREPARE for some of the things you’re likely to encounter in any given environment, and you can also PLAN how to respond to things you weren’t prepared to find.

Now consider moving an application into “the cloud.” Is the cloud “secure” or “insecure?”  I’d like to argue, like asking if 65 degrees is “hot or cold,” that asking if the cloud is “secure or insecure” is the wrong question.

Your concern should be whether the application is security enhanced, based on the things you know about and prepare for (like botnets, DDOS attacks, sensitivity of the data, regulatory concerns), in addition to how you or your provider plans to respond to things or events you can’t anticipate (such as new threat vectors, code changes, hardware failures, etc.)

The goal of the person entering a room isn’t to determine if the room is hot or cold, it’s to be comfortable in the environment. And the goal of the application owner isn’t for the infrastructure to be “secure” or “insecure,” but for the application to be operated in a compliant manner.

Only you know when you are comfortable; only you know when you are compliant.

If you tend to feel cold most of the time, you might keep a good supply of sweaters on hand. If you tend to transmit or store sensitive data, it’s best to carry a good supply of encryption keys around—and to know how to use them!

My point is NOT to simplify the complex world of information security, but to CLARIFY and to FOCUS the discussion not on the sweaters (firewalls, IPS devices, anti-virus software), but on the COMFORT—adherence to process, auditability, continuity of operations, geographic fencing of data—of the application owner.

That’s really what makes the difference in deciding whether “the cloud” is right for your application. Rather than ask “secure or insecure,” ask yourself, “Can I be as comfortable (compliant) in a new environment as I am in my current environment?” If not, why not? Are the changes I would have to make to be compliant in the new environment worth it?

This type of compliance ROI analysis is what makes or breaks the business case of moving to the cloud, and of gaining the flexibility, elasticity, and economies of scale that it offers.

What are your thoughts on enhancing this topic?
The Networking Exchange Blog Team About NEB Team