Security remains the primary obstacle blocking a move into the cloud for many organizations. The cloud security picture is murky at best. It presents real security issues, real security opportunities, and red herrings. In most cases the red herrings rule the day and the most critical real issues are problems with our underlying Internet infrastructure—not cloud computing.
I don't want to rehash the issues right now. I've covered them in a number of articles, and you can find a number of excellent blogs across the Internet, including here and here. In addition, there are a number of organizations dedicated to providing frameworks for cloud security and compliance in the cloud like the CSA and CloudAudit.
Instead, I want to grant the premise of the curmudgeonly IT manager who refuses to consider the cloud: "The cloud is always less secure than my infrastructure." Where does this premise lead us? Is it worth this "extra security" to keep out of the cloud?
Don't get me wrong. I don't agree with the premise. For a few organizations, this premise is almost true. For most, however, it is at best neither true nor false, but somewhere in between. What I want to examine, however, is if your infrastructure is actually that much more secure than a cloud alternative, is the "additional security" worth the cost and effort of maintaining that infrastructure.
I'll start with costs. Below is a graph of four real world enStratus customers that compares three kinds of costs:
- Estimated cost to build an IT infrastructure to support a target set of systems
- Estimated cost to have a major managed services provider support the target set of systems
- Actual cost of running the target systems in an IaaS cloud
Not all of them looked at all three options, but the result is clear: the system in the cloud is orders of magnitude less expensive than the other options.
In order to justify building an internal data center based on security alone, the IT manager in the most extreme case would have to make the argument that the supposed security benefits of an internal data center are worth nearly $1.5M/month in extra expenditures. In the least extreme case, $17K/month would be the supposed value of "extra security".
I'm not suggesting in any way that you should not pay extra money for extra security. On the contrary, real security features that offset real, quantifiable risk are definitely worth paying for. If, however, you are honestly going to tell your CFO to cough up 10x or more in monthly costs because you have concerns with cloud security, you should be able to show your CFO that you are saving the company 10x or more in losses to cloud exploits.
The formula is simple:
cost of vulnerability = losses from exploit * probability of exploit