The Myth of Security in Clouds

In today's Wall Street Journal, John Chambers, Chairman and CEO of Cisco, was featured in a video story about technology.  The Journal asked about myths related to cloud implementation.  He waited a long time before responding (this story is a video so you can see the hesitation)  and commented "I'm going to get in trouble on this.  I guarantee my PR team is sweating" a response.  That would be, of course, because Cisco is a major player in the cloud business and his comments were sure to listened to, and make news.  He only made news for the few thousand companies that think clouds are secure and they can push off their security worries by contracting it out to someone else.  It won't work.  It has never worked, but most of the vendors are saying how safe and secure your data is, if only you can seize the cloud moment and give your data to them.  That is a myth, as he points out.  

We should applaud him for being honest, a trait some of his contemporaries are less inclined to show.  They would rather say nothing, than speak ill of the Angel of Revenue.  

He wasn't brutally honest, just mildly so, and he did qualify everything he said.  But, he pointed out that security in clouds is "not quite there".  He did this at a time when major businesses are about to embark on a grand experiment to offload credit card payment systems to clouds, pushing them out to mobile devices.  That data has been in clouds without much fanfare, but Apple is going to make history by taking it there on a grand scale.  

The Apple developer assured me they spent "3 years making this system secure".  I have been doing security for 45 and it always amazes me that each generation thinks they can beat the world to a secure way to move money.  I remind them of something one of my college professors said, "Criminals spend as much time at their jobs as you do at yours."  You can bet those Russian and Eastern European gangs will have a solution to this problem one day.  They spend years at their jobs too.  

The Federal government is having its moment too with clouds, without understanding the difference between a public and private cloud.  They want to use clouds but don't want to do the work to have a private cloud.  They experiment, here and there, with using public clouds for e-mail and data storage without a clue about what they are doing.  There is no centralized planning for any of it.  

If we want to secure data, we can't give it off to someone else to do.  Make it secure before you give it to them, and let them store and distribute it.  Don't think they can secure it.