Sapientia et Doctrina

Thursday 23rd of July 2009 02:31:38 AM

Bruce Schneier on Google Apps. Do you trust Google?

"Security is about who you trust," Schneier said. "Do you trust Google more than your sysadmin? Do you trust Google Docs more than Microsoft Office?" 

"Trust is social," he said. "It’s not technical."

Read more:

http://latimesblogs.latimes.com/technology/2009/07/security-expert-on-google-apps-is-google-trustworthy.html

 

My thoughts:

Yes, I trust that a Google Employee, whose sole function is to maintain the system, will ensure that the system is secure, patched and up-to-date. It is simply about Reputational risk. Reputational risk (damage to an organization through loss of its reputation or standing), can arise as a consequence of operational failures. Every company understands reputational risk, particularly businesses who regard their brand as one of their most critical assets. Google is one of them. They have a reputation to maintain.

 

NIST just published a working draft of the Cloud Computing Security presentation. Some of the Security Advantages mentioned in the presentation are:

  1. Shifting public data to a external cloud reduces the exposure of the internal sensitive data
  2. Cloud homogeneity makes security auditing/testing simpler
  3. Clouds enable automated security management
  4. Redundancy / Disaster Recovery
  5. Data Fragmentation and Dispersal
  6. Dedicated Security Team
  7. Greater Investment in Security Infrastructure
  8. Fault Tolerance and Reliability
  9. Greater Resiliency
  10. Hypervisor Protection Against Network Attacks
  11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
  12. Simplification of Compliance Analysis
  13. Data Held by Unbiased Party (cloud vendor assertion)
  14. Low-Cost Disaster Recovery and Data Storage Solutions
  15. On-Demand Security Controls
  16. Real-Time Detection of System Tampering
  17. Rapid Re-Constitution of Services
  18. Advanced Honeynet Capabilities

I understand that these will depend on the actual implementation. It usually does for everything. For e.g. you can create world’s most secure cipher, but the poor implementation is usually the weakest link.

But in theory, if cloud services are implemented properly, I think NIST’s list of advantages hold true.

The Shocking Blue Green Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.