I was just reading a good post over at securosis by my friend Rich Mogull, and I have a few comments. He, and many others, bring up the fact that the cloud reduces (or eliminates) our ability to implement certain types of security controls, e.g. WAF, DB content monitoring and defense, and advanced S-SDLC.
This is, of course, true, but I think it largely misses the mark. So, yes, for the best of the best, they lose a lot by going to the cloud. For the few who are doing WAF and DB monitoring and protection, etc. really well, and have such advanced S-SDLC that they would suffer from not having full control over the platform, they will lose ground by losing control. Agreed.
But there are so few in this category.
These outliers don’t represent, as best as I can tell anyway, how most medium to large companies are doing things. Most are way behind this, and are still struggling just to get basic, critical vulnerabilities out of their code, and to have solid separation between dev and production.
In other words, for the vast majority of companies out there that can benefit from the cloud, they aren’t losing anything by moving there. They’re simply not doing these advanced things now, so there’s nothing to lose by “downgrading” to the cloud. It’s pretty much all positive for the majority of companies.
What the cloud promises is to take people who are at 25% to 75%, not to take people who are at 90% to 95%. I think I would agree with Rich and Hoff that an organization that’s at a 90% maturity level with their posture (and have all those advanced controls talked about) wouldn’t get much from the cloud.
But again, there are so few of these.
If I had to give a number (which is clearly silly) I’d say that most medium to large companies are in the 30-60% range in terms of their security maturity (think “failing at the basics”). And I’d say that going to a solid cloud service will jump them to 75-80%, which is still bad, but is much better (and yes, I realized the level of oversimplification is staggering). My point is that taking thousands of companies from 40% to 75% is a victory, and the fact that a few big players might drop 5-10% is not as important as it may seem.
In short, the cloud helps more than it hurts simply because most people are in such bad shape that the cloud’s weaknesses fail to materialize. It’s like saying that moving a homeless person to a middle class home is a letdown because the new place doesn’t have an indoor pool. Most companies are failing at the very basics, guys, and that’s why the cloud is a win for most people. I think we should avoid letting the best be the enemy of the better. ::