How Much Is the Fear of Cloud Security Worth?

By George Reese
February 21, 2010 | Comments: 4

Security remains the primary obstacle blocking a move into the cloud for many organizations. The cloud security picture is murky at best. It presents real security issues, real security opportunities, and red herrings. In most cases the red herrings rule the day and the most critical real issues are problems with our underlying Internet infrastructure—not cloud computing.

I don't want to rehash the issues right now. I've covered them in a number of articles, and you can find a number of excellent blogs across the Internet, including here and here. In addition, there are a number of organizations dedicated to providing frameworks for cloud security and compliance in the cloud like the CSA and CloudAudit.

Instead, I want to grant the premise of the curmudgeonly IT manager who refuses to consider the cloud: "The cloud is always less secure than my infrastructure." Where does this premise lead us? Is it worth this "extra security" to keep out of the cloud?

Don't get me wrong. I don't agree with the premise. For a few organizations, this premise is almost true. For most, however, it is at best neither true nor false, but somewhere in between. What I want to examine, however, is if your infrastructure is actually that much more secure than a cloud alternative, is the "additional security" worth the cost and effort of maintaining that infrastructure.

I'll start with costs. Below is a graph of four real world enStratus customers that compares three kinds of costs:

  • Estimated cost to build an IT infrastructure to support a target set of systems
  • Estimated cost to have a major managed services provider support the target set of systems
  • Actual cost of running the target systems in an IaaS cloud
Thumbnail image for Screen shot 2010-02-21 at 13.37.29 .png

Not all of them looked at all three options, but the result is clear: the system in the cloud is orders of magnitude less expensive than the other options.

In order to justify building an internal data center based on security alone, the IT manager in the most extreme case would have to make the argument that the supposed security benefits of an internal data center are worth nearly $1.5M/month in extra expenditures. In the least extreme case, $17K/month would be the supposed value of "extra security".

I'm not suggesting in any way that you should not pay extra money for extra security. On the contrary, real security features that offset real, quantifiable risk are definitely worth paying for. If, however, you are honestly going to tell your CFO to cough up 10x or more in monthly costs because you have concerns with cloud security, you should be able to show your CFO that you are saving the company 10x or more in losses to cloud exploits.

The formula is simple:

cost of vulnerability = losses from exploit * probability of exploit

You might also be interested in:


I agree that it is possible to build a secure cloud. Much of the "cloud is not secure" debate stems from, in my opinion, posturing by those forces who stand to lose most from the cloud. Basically, not defining security and then wrapping it in FUD.

All the same, in my opinion, the migration of existing applications from a, theoretically, secure IT infrastructure is the real issue here. Such migration is not trivial and carries certain risks and costs.

Finally, the CSA and CloudAudit frameworks are in the process of being cooked, based on my understanding. Thus, at this time, there does not appear to be the "security in a box" to pack into the "cloud in a box". ie. an integrated secure cloud. All the same, there are some proprietary solutions that not being open defeats the purpose of an open cloud.

"The Cloud" is an abstraction of a data centre / centres. By using an abstraction, you don't necessarily know where your data is going to end up. Therefore, it's inherently less secure.

Your comment is wrong on almost every single level.

The only true part is: '"The Cloud" is an abstraction'.

How does this article dispel any myths? It just cites the company of which you are CTO as a source for incredible savings. Thanks for the ad.

News Topics

Recommended for You

Got a Question?