I have been mulling over cloud computing a little bit lately. My thoughts (as usual) are pretty simplistic so far. I work in the small/medium environment where good InfoSec is rare as hens teeth. IMHO, the issues are primarily time and expertise. Small IT shops tend to be reactive and spend a lot of time firefighting. Proactive security is just plain hard, and when you are doing InfoSec as a sideline or a hobby within your daily work it is a million baby steps to reach a decent security posture ala 2010. Can it be done? Yes. Do I feel like I am there yet? Not even close, but moving in the right direction.
So take virtualization and then take cloud computing aka using somebody else's virtual infrastructure by way of the Internets. I am all about that. If it is possible for say Google Apps or Microsoft's "Cloud Power" to serve up COTS applications and protect data in a way that prevents people from the usual bad habits i.e. emailing themselves that spreadsheet full of PII, what is the downside? Plus if cloud computing means that we can move to a thin client desktop approach where few applications need to be installed after the inevitable malware infection(s), then my good friend Matt the desktop guy has a reduced suck factor. That's a win-win in my book.
At the risk of over-statement, do I really believe I can do security better than say Google, Microsoft or Amazon AWS? I guess it depends on how arrogant and/or delusional I am. Enough said.
There is some good reading on Lenny Zeltser's blog around how the risk factors in the Cloud are not all unique in comparison to other disruptive technologies. As for me, I can't wait to stick my head and hands in the cloud(s) - and keep them there.
No comments:
Post a Comment