In the midst of the 1990's economic bubble, Alan Greenspan once famously referred to all the excitement in the market as Irrational exuberance. Similarly in today's cloud computing market a lot of the discussions seem to be driven by a new set of irrational expectations. The expectation by some that cloud computing will solve all man's problems and by others the expectation that cloud computing is inherently flawed. Flawed by an ended less list of problems most notably that of security. Like most things in life, the reality is probably somewhere in the middle. So I thought I'd take a closer look at the unrestrained pessimism and sometimes irrationality found in the cloud security discussions.
To understand security, you must first understand the psychology of how [cloud] security itself is marketed and bought. It's marketing based on fear, uncertainty and most certainly doubt (FUD). Fear that your data will be unwittingly exposed, uncertainty of who you can trust and doubt that there is any truly secure remote environments. At first glance these are all logical, rational concerns, hosting your data in someone else's environment means that you are giving away partial control and oversight to some third party. This is a fact. So in the most basic sense if you want to micro-manage your data, you'll never have a more secure environment than your own data center. Complete with bio-metric entry, gun toting guards and trust worthy employees. But I think we all know that "your own" data center also suffers from it's own issues. Is that guard with the gun actually trust worthy? (Among others)
Recently it occurred to me that the problem with cloud security is a cogitative one. In a typical enterprise development environment security is mostly an after thought, if a thought at all. The general consensus is it's behind our firewall, or our security team will look at it later, or it's just not my job. For all practical purposes most programmers just don't think about security. What's interesting about cloud computing is all the FUD that's been spread has had an interesting consequence, programmers are actually now thinking about security before they start to develop & deploy their cloud applications and cloud providers are going out of their way to provide increased security (Amazon's VPC for example). This is a major shift, pro-active security planning is something that as far I can tell has never really happened before. Security is typically viewed as a sunk cost (sunk costs are retrospective past costs which have already been incurred and cannot be recovered). But the new reality is that cloud computing is in a lot of ways more secure simply because people are actually spending time looking at the potential problems beforehand. Some call it foresight, I call it completely and totally rational.