I think you are right on Alistair. From what I have seen of cloud computing infrastructure is being rolled out in a much more secure manner than most in-house data centers. Since AWS and the like are providing SLA's to their customers and since the architects have already been through the learning curve that any large ecommerce venture has (constant attacks against infrastructure, accounts and data) there are many built in protections.

Sure there will be problems arising from aggregating thousands of services on one infrastructure. Those that need close to 100% up time and do not want to go down with Amazon will build applications that run on multiple clouds.

Cloud computing is a good thing for security in general.

Important debate, thanks.

Remember, though: Verizon's data is drawn only from breaches that Verizon was hired to investigate. Apparently, most breaches where the business hired Verizon to find out what happened were not inside jobs.

But why would Verizon be hired to investigate breaches by authorized insiders? These could be 80% of real-world breaches without being well-represented in Verizon's sample, no?

Hi Alistair:

I get into pointed 'debates' about cloud computing (and virtualization) risks daily...I gave up drinking and do this instead. Not sure that was the wisest of moves ;)

I think the most important thing is to clarify/classify which "cloud" model being referenced because 'it depends' is an answer that suffers primarily from a lack of specificity regarding the subject. SaaS has different security implications than does IaaS, PaaS, VaaS as does the type of information trafficked AND what existing cost-burdens and expertise in security already exist when considering a move to a cloud-based service.

As I mentioned (and as did Mike above,) for startups, it's a no-brainer. That doesn't make it more secure (nor does the size of the provider's security teams or the amount of money spent on "security") but that's not the case for larger enterprises.

Generalizing these debates will give us confusion, FUD and in some cases a false sense of security.

/Hoff

You both have some valid points. In my 20+ years within IT, I have never worked at a place that invested enough money in security. I have spent most of career in SMBs and now am in a startup. From the standpoint of the SMB and startup, I am in total agreement with your post. From the large corporation standpoint, I definitely see Chris's viewpoint. For me as a startup, clouds are a no-brainer and the security is a benefit. I will still have to build security into my application, but I can guarantee that the cloud provider will invest many more dollars in security than I will ever be able to afford.