BOSTON — The worldwide economic slowdown has many companies looking to outsource various aspects of their businesses to Internet-based services. Yet, guaranteeing the security of corporate data in the "cloud" is difficult, if not impossible, a compliance expert told attendees at the SOURCE Boston conference on Friday.
Most cloud services promise certain levels of uptime, but it's much more difficult to hold such services to guarantees of data security, Michael Dahn, the founder of the Society of Payment Security Professionals, told attendees. Until third-party contracts evolve to handle security guarantees, companies will still have to worry about their data.
"This is no different than any other type of outsourcing we do," Dahn said. "You just have to realize that you cannot outsource responsibility."
Cloud computing has attracted a great deal of attention as a way to outsource certain business functions to third-party services. Google and Amazon both offer services that allow companies to run their own applications on the Internet giants' servers. Other companies, such as Salesforce.com, offer specific services to companies.
Yet, making a cloud architecture comply with security regulations requires finding answers to questions that make little sense in the abstract cloud. For example, a requirement of the Payment Card Industry (PCI) Data Security Standard (DSS) is that "only one primary function (exists) per server." Reasonable answers to such requirements must first be sought out, Dahn said.
"Cloud security is possible, just not probable," Dahn said, adding that reasonable compliance regulations could help set a minimum standard. "Until we see services evolve, we are not going to see security in the cloud."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos