Obviously, the answer is it depends … on your security needs … on what you are comparing it with … on which cloud offering you are looking at.

Therefore, instead of providing a one word “Yes” or “No” answer let me ask you a set of questions that will help you answer the question for yourself. These questions will help you in identifying, for your given context, if the cloud application that you are evaluating is more or less secure compared to status quo or the alternatives that you are considering. The important point is to decide what threats are more significant than others and what can become a show stopper. In short:

• What am I comparing?
• What threats are relevant and I need to consider seriously?
• Are there any show stoppers?
• Do I have the necessary facts?
• Is lack of knowledge clouding my perception?

The Questions

Q1. What are you comparing it with…?

1. …in-premise infrastructure
2. …data centre owned and managed by you
3. …data centre owned by you but managed by third party
4. …data centre hosted on a third party infrastructure but managed by you
5. …data centre hosted on a third party infrastructure but managed by somebody else

Q2. What cloud services are you looking at…? (Here is a detailed discussion)

1. …virtual machine instances (IaaS) like Amazon AWS or Rackspace Cloud Servers
2. …cloud platform (PaaS) like Google GAE or Microsoft Azure
3. …hosted Email like Gmail
4. …hosted CRM like Salesforce.com
5. …hosted ERP like SAP Business By Design
6. …office suit in the cloud like Google Apps
7. …any other

Q3. Which of the generic security threats do you consider very important? Threats that…

1. …attempt to steal sensitive information
2. …comes from inside, from disgruntled employee
3. …exploit existing software bugs and vulnerabilities with the intent of crashing a system
4. …are intended to overwhelm critical system resources such as CPU and RAM
5. …convert compromised computers into a network of bot-nets in order to mount additional attacks

Q4. Is there any cloud specific security threat that needs to be considered? Threats like…

1. …software bug leading to accidental exposure of information to other parties sharing the resources
2. …sensitive data retrieved and leaked out from released resources
3. …insecure interface and API exposed by the cloud provider
4. …losing control over their ability to ensure strong authentication at the user level

Q5. Do you need to comply with any government regulation like…?

1. …HIPAA
2. …SOX
3. …PCI
4. …Data location restriction
5. …others

You can see from this Google Trends chart how cloud security concerns are growing.

• Top Threats to Cloud Computing V1.0
• Gartner: Seven cloud-computing security risks
• Cloud Security Threats and Countermeasures at a Glance

Read the original blog entry...