Craig Balding offers some great commentary for "Assessing the Security Benefits of Cloud Computing". As I referenced in my last post "Cloud Security - Key Risks for Cloud Computing", folks love lists, and Craig includes a list of "Seven Technical Security Benefits of the Cloud." These are:

• 1. Centralised Data
• 2. Incident Response / Forensics
• 3. Password assurance testing (aka cracking)
• 4. Logging
• 5. Improve the state of security software (performance)
• 6. Secure builds
• 7. Security Testing

Now, I am not sure I agree with all this. It is important to understand the position that companies are using the cloud to offload risk, which is some of the premise here. Large enterprise and small to medium size businesses will find varying degrees of import and usefulness here.

There is a very fine distinction to make in many of Craig's points, as one of the maxims I have for cloud security above is that "You can Delegate, but you can't Abdicate Responsibility". This is especially true with respect to data protection dealing with any customer or employee PII. So the expectation that the situation is improved using cloud solutions may not necessarily be true.

Consider, as a business, a decision can be taken to delegate some role or responsibility for a process. However, the business cannot do the same with the responsibility, especially when it comes to data. Consider a US based business utilizing a third party to process employee or customer data. If that data is lost, stolen or maliciously compromised in some way, it is still the responsibility of the business to communicate that to the impacted individuals, more than likely all of them. It is not the responsibility of the provider because the data was not theirs. Such communication, and thus responsibility, is mandatory according to some regulations, such as the US CA SB1386, if not expected by the customers.

Further, some of the list, under scrutiny, tends to fall apart. Specifically nearly all these items are things that an org can do regardless of the cloud. More so, a majority of examples require that the customer does the work - e.g. creating hardened builds, creating an audit server in the cloud i.e. The cloud does not specifically provide the advantage, so... why use the cloud? To answer, you must consider that the architecture is important to enable these solutions e.g. Say that ensuring that data is kept in the cloud, and ensuring the cloud is where we can focus more security efforts, while locking down and minimizing the options for access, and thus the attack vector from access points (pc, laptop, mobile etc).