The Big Four Cloud Computing Providers: Security Compared (Part I)
James Urquhart posted a summary a week or so ago of what he described as the "Big 4" players in Cloud Computing. It was a slightly humorous pass at describing their approaches and offerings:
James provided quite a bit more (serious) detail in the text below his table which I present to you here, tarted up with a column I've added and James left off titled "Security."
It's written in the same spirit as James' original, so feel free to take this with an equally well-provisioned grain of NaCl. I'll be adding my own perfunctory comments with a little more detail shortly: The point here is that the quantification of what "security" means in the cloud is as abstracted and varied as the platforms that provide the service. We're essentially being asked to take for granted and trust that the underlying mechanicals are sound and secure while not knowing where or what they are.
We don't do that with our physically-tethered operating systems today, so why should we do so with virtualization platform hypervisors and the infrastructure "data center operating systems" of the cloud? The transparency provided by dedicated infrastructure is being obscured by virtualization and the fog of the cloud. It's a squeezing the balloon problem.
And so far as the argument goes toward suggesting that this is no different than what we deal with n terms of SaaS today, the difference between what we might define as legacy SaaS and "cloud" is that generally it's someone elses' apps and your data in the former (ye olde ASP model.)
In the case of the "cloud," it could be a mixture of applications and data, some of which you own, some you don't and some you're simply not even aware of, perhaps running in part on your infrastructure and someone elses'.
It should be noted also that not all cloud providers (excluding those above) even own and operate the platforms they provide you service on…they, in turn, could be utilizing shared infrastructure to provide you service, so cross-pollination of service provisioning could affect portability, reliability and security.
That is why the Big4 above stand up their own multi-billion dollar data centers; they keep the architecture proprietary so you don't have to; lots of little clouds everywhere.
/Hoff
P.S. If you're involved with platform security from any of the providers above, do contact me because I'm going to be expounding upon the security "layers" of each of these providers in as much detail as I have here shortly. I'd suggest you might be interested in assuring it's as complete and accurate as possible 😉
It'd be interesting to see an additional column on that chart, probably called "organisational security" in addition to the more technical security measures mentioned above. I always feel that one of the considerations with cloud computing that doesn't always get a lot of visibility is that ultimately companies using these services are letting someone else manage and have access to their data, and so have got some responsibility to make sure that they (the cloud computing providers) are managing it securely.
There's all sorts of interesting problems that can crop up in this arena, for example, I wonder what the security breach notification requirements from the cloud computing companies are? So if they have a breach will they tell their clients, who may have statutory disclosure requirements, about it in a timely fashion…