Here comes the bus

I want to get feedback from folks on this, so comment away.  Over the past six months I have been working with companies going over pro’s and con’s of moving their most critical service(s) off to the “cloud”.  I’m not going to get into the upside and downside here, because it is different for every service and every company.  A concern that has come up with the security folks involved is focused around their reputation and credibility.

One side of the argument is that their reputation is on the line regardless of where the data lives.  They are responsible whether it lives in-house or not.  With that line of thinking they are much more comfortable keeping the data in-house where they can monitor and manage it and everything around it.  Moving their data off to a Google Apps account for example, where they are limited in what they can implement for security policy and monitoring is next to nothing makes them very anxious.  They do not want their credibility as a security professional riding on Google.

The alternate argument is that by having the data in-house there are unrealistic expectations put on their ability to keep the data safe.  Nothing is 100% secure and therefore it is just a matter of time until it gets breached at which point they will lose a lot of credibility.  Moving it offsite, lets pick on Google again, seems like a great idea because if there is a breach they can stand back and say “Not my fault” because securing that data is no longer their responsibility.  The obvious thought there is that they can not be blamed for someone else’s mistake or lack of control.

Camp1 thinks that they are getting thrown under the bus the first time Google has a breach.  Camp2 thinks they will be driving the bus over Google when the SHTF.

I’ll save my thoughts on this until after people comment.  What do you think?


*** This is a Security Bloggers Network syndicated blog from Techdulla authored by Dan. Read the original post at: