Outrageous Beliefs Are NOT Equal to Claims They Are Preposterous

I’ve not spent a lot of time thinking about this, but here’s how the
CloudSec variables move in my mind.

• The current state of Security in most environments is horrendous (let’s
  say 3/10)

• The ability to secure, say, Google’s cloud offerings, is like
  (8/10)

• The likelihood of a compromise is far lower

• The impact of a compromise is significantly higher

• As the security of in-house-managed infrastructure increases, the
  CloudSec advantage diminishes

So it’s a race, with CloudSec currently winning by a significant margin. How
long that will remain the case will depend on how long it takes the industry
to start building products that can withstand scrutiny from attackers. And
that is likely to be a while.

Once vendors are releasing products that are harder to break, even when
managed by incompetent and overworked infosec staff, the balance will once
again tip toward in-house management. But right now I think the risk of
higher impact is going to be worth it for many organizations, given the
lower likelihood of compromise combined with being able to focus more
attention on their mission.

[ Nov 21, 2008 ]