Tonight I got this article forwarded to me: Afraid of outside cloud attacks? You're missing the real threat. David Linthicum (the author) claimed that if you are looking at the hackers attacking “your” cloud from the outside, you are missing the real problem as the insider threat is still bigger.
When I read the article, I agreed but on the other hand I was quite surprised. The article actually tends to reduce the risks of the cloud to the hacking attack from the outside. As we know, the problem space is much, much bigger as we outlined in our Cloud Computing Security Considerations paper as did others in numerous other papers on the web.
However, there is one fundamental thing I agree with the article: When people talk about the Cloud and security they tend to forget the past. It seems to me when I read the blog sphere and article on the web like it the cloud is something completely new and the threat landscape is completely new and the risks are completely new. To me, it is “just” a variation of the theme. We had outsourcing in the past and we had virtualization in the past. Now, we combine the two, add some salt and pepper and have Cloud computing (I know that I am oversimplifying now).
I am completely aware and supportive of the fact that the Cloud is adding a lot of business opportunities - and new risks. But we definitely have to make sure that we do not forget what we learned in the last few years – the last two decades - of information security as the “old” risks – like the insider threat – do not go away because we move to the Cloud. Nor will the responsibility for securing our information being transferred to a cloud provider. And this is probably the most important thing we have to consider, when we plan the cloud.