Schneier on Security
A blog covering security and security technology.
« Syrian Electronic Army Cyberattacks |
| SHA-3 Status »
September 4, 2013
Business Opportunities in Cloud Security
Bessemer Venture Partners partner David Cowan has an interesting article on the opportunities for cloud security companies.
Richard Stiennnon, an industry analyst, has a similar article.
And Zscaler comments on a 451 Research report on the cloud security business.
Posted on September 4, 2013 at 7:02 AM
• 9 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I like how they say the private sector will increasingly look to the NSA for protection from cyberattacks. The Snowden revelations are making that one seem a bit shaky.
Not at all; I'm sure the NSA will provide protection to anyone who agrees to cooperate with them fully. Protection rackets have to be reliable, otherwise why pay?
I think somebody just failed a Turing test.
The first few paragraphs seem to be just a Markov chain output of random computer terms: "The challenges of circuit miniaturization, graphical computing, database management, etc etc "
Even press releases from social media startups are more coherent than this - and this claims to be from MIT
@ Nick P,
You and I both know security is probablistic, relative and by no means absolut, thus you have to prioratize your risks.
The trouble is your priorities should be set by the probabilities of any given risk (as it generaly is for physical risks insurance) and in the ICT world there is almost always insufficient knowledge about any given type of risk, which makes this task more than somewhat difficult.
Mr Snowdens leaks did not in anyway change the actual risk of ubiquitous government surveillance, just our information about them and thus our perception.
The risk of information in the cloud however may become more at risk due to the revelations due to the secondary effect of businesses etc now electing to keep or bing back data in house. This has the knock on effect of changing cloud providers business models and projected growth etc. Which may weaken the market, reduce the number of suppliers and thus make the market more brittle or monopolistic which would have much the same effect.
"The risk of information in the cloud however may become more at risk due to the revelations due to the secondary effect of businesses etc now electing to keep or bing back data in house. This has the knock on effect of changing cloud providers business models and projected growth etc. Which may weaken the market, reduce the number of suppliers and thus make the market more brittle or monopolistic which would have much the same effect."
That's what I was referring to. I doubt such consequences will make businesses more NSA friendly. And history shows NSA friendly businesses are anything but safe from hackers. So, even if the author was correct, the end result will be the opposite companies intended.
Cloud != secure. It's as simple as that. Unless you've got that server sitting in your own rack in your own space, you've got absolutely NO control over it whatsoever.
At least in your own rack you stand a fighting chance of keeping it secure.
"Cloud != secure. It's as simple as that. Unless you've got that server sitting in your own rack in your own space, you've got absolutely NO control over it whatsoever."
Exactly. Hence the emergence of a whole industry of "private cloud" implementation tools. The original "public cloud" offerings came about because businesses saw a way to make money by offering services based on resources which they managed. It's a nice abstraction, but the customer can derive no expectation of privacy or security from it. The customer can't even be sure of the legal jurisdiction in which the physical resources reside.
But please don't therefore throw the baby out with the bathwater! With private cloud, provided you're willing manage the resources yourself (and there are products such as Stackato to make such management easy), you can have all the advantages of cloud virtualization while retaining control over security.
This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks
In the current context, about as brilliant a plan as outsourcing your accounting department to the IRS, I'd say. Mr. Cowan is strongly urged to rethink that statement.
The Forbes article is a bit more intelligent, beit not without the usual minor inaccuracies as in where they state that Tor was recently compromised or calling Twitter complicit in the Prism program. Whether or not the IT security industry is going to expand tenfold remains to be seen. Depending on the outcome of business impact analysis and other risk assessments, it may apply to specific industries and companies, but anyone who's ever worked in IT security knows that in general it's one of the first budgets that goes on the chopping block in times of economic adversity.
It is undeniable that cloud computing is changing the IT landscape fast, and that this industry will continue to grow in the years to come. It is however not a one-size-fits-all-solution, but just another tool in the IT toolbox, implementation of which needs to be evaluated on a case by case basis, and irrespective of considering private, public or hybrid cloud solutions.
Organisations - especially governmental - to which confidentiality of data is of the essence are advised to stay clear of any and all US based cloud provider which thanks to Mr. Snowden have been exposed to be "insecure by law", the security aspect for many a company unfortunately already being one of the prime hurdles to cloud adoption.
plaintext cloud (or somehow keys known to cloud supplier) != secure.
(Clouds still have the issue of availability, which is why I think the name cloud appropriate. Sometimes they are there and sometimes not.)
While I strongly suspect that [nearly] all cloud business cases rely on access to plaintext (for either snooping or de-duplication), any issues in leaving cryptotext in the cloud should be seen as roughly as unsafe as leaving data on private servers (the keys nearly have to be somewhere on site).
Somehow I imagine that cloud vendors will be around for a long time selling convenience for the chance to snoop your data.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.