Scott McIntyre, the security officer of XS4ALL, had in his presentation at HAR2009 some hilarious words on cloud security:
Manager: Where is the data?
Sysadmin: In the cloud
Manager: But WHERE is the data?
Sysadmin: In the cloud
Manager: Just tel me, WHERE is that?
Sysadmin: It is in the cloud
Last week ENISA published a report on cloud security. The report makes clear why Scot McIntyres objection is still going strong: a security policy requires clarity over what data is stored where, what protections and controls are in place and how the data is disposed at the end of its lifetime. Many vendors of cloud-services don't tell much about these issues. And if you are working in an environment that requires certifications, then you are totally left alone: these certifications usually aren't applicable to SaaS or cloud computing. Let alone that there are any cloud computing vendors out there that are certified.
But there is hope: the report is co-written by a lot of these vendors. So they acknowledge the problem and they are even asking for certifications for cloud computing. Great! At the next Hxx conference in 4 years, the conversation Scott made up can continue:
Sysadmin: I finally know where the data is and how it is protected!
Manager: Thanks, but get the data out of the cloud. We have something better by now.