option
s
that
are
more
appropriately
termed
―
risk
mitigation
.‖
The reason that I broach this subject so early on is that I want the
reader to start to view data security as a lexicon of choices, as
opposed to an on/off technology. In a typical organization, the need
for data security has a very wide scope, varying from information
that is set as public domain, through to information that needs some
protection (perhaps access control), through data that are highly
sensitive, which, if leaked, could cause catastrophic damage, but
nevertheless need to be accessed and used by selected users.
One other aspect of data security that I want to draw into this debate is
the human variable within the equation. Computer technology is the
most modern form of the toolkit that we have developed since human
prehistory to help us improve our lifestyle. From a human need
perspective, arguably, computing is no better or worse than a simple
stone tool, and similarly, it must be built to fit the hand of its user.
Technology built without considering the human impact is bound to fail.
This is particularly true for security technology, which is renowned for
failing at the point of human error.
If we can start off our view of data security as more of a risk
mitigation exercise and build systems that will work with humans
(i.e., human-centric), then perhaps the software we design for
securing data in the cloud will be successful.
THE CURRENT STATE OF DATA SECURITY IN THE CLOUD
At the time of writing, cloud computing is at a tipping point: It has many
arguing for its use because of the improved interoperability and cost
savings it offers. On the other side of the argument are those who are
saying that cloud computing cannot be used in any type of pervasive
manner until we resolve the security issues inherent when we allow a
third party to control our information.
These security issues began life by focusing on the securing of access
to the datacenters that cloud-based information resides in. However, it
is quickly becoming apparent in the industry that this does not cover the
vast majority of instances of data that are outside of the confines of the
data center, bringing us full circle to the problems of having a container-
based view of securing data. This is not to say that data- center security
is obsolete. Security, after all, must be viewed as a series of concentric
circles emanating from a resource and touching the various places that
the data go to and reside.
However, the very nature of cloud computing dictates that data are fluid
objects, accessible from a multitude of nodes and geographic