I’ve not spent a lot of time thinking about this, but here’s how the CloudSec variables move in my mind.
The current state of Security in most environments is horrendous (let’s say 3/10)
The ability to secure, say, Google’s cloud offerings, is like (8/10)
The likelihood of a compromise is far lower
The impact of a compromise is significantly higher
As the security of in-house-managed infrastructure increases, the CloudSec advantage diminishes
So it’s a race, with CloudSec currently winning by a significant margin. How long that will remain the case will depend on how long it takes the industry to start building products that can withstand scrutiny from attackers. And that is likely to be a while.
Once vendors are releasing products that are harder to break, even when managed by incompetent and overworked infosec staff, the balance will once again tip toward in-house management. But right now I think the risk of higher impact is going to be worth it for many organizations, given the lower likelihood of compromise combined with being able to focus more attention on their mission.
[ Nov 21, 2008 ]