I was talking with Avanade‘s Senior Director for Enterprise Security, Ace Swerling, earlier today. The conversation touched on a wide range of security and identity management issues that I’ll probably return to, but one of Ace’s comments brought my attention back to an issue that has been nagging at me for a while.

As I’m sure we all know, security concerns often figure highly in discussions about moving Enterprise applications and data to the Cloud. Indeed, I spoke with other Avanade executives earlier this year to report on a survey they had commissioned that suggested just how significant these concerns can be for potential customers.

In today’s conversation, Ace appeared to agree (as do I) with the frequent assertion that Cloud providers’ own systems will tend to be more secure than those that the majority of potential customers have in-house today. These service providers have their entire reputation riding on their security, it’s absolutely core to their business model, and they can invest in the facilities, procedures and people to get it right. They’re not claiming to be invincible; nothing is. But the good ones should certainly be capable of being as secure as anything else connected to a network.

Which brings me to the ‘problem;’ a data centre like the one in the video below can be physically and virtually secure, equipped with the best hardware, software, procedures and brains that money can buy.

And then you ruin it by letting the customers in.

The customers who open up all the ports you so carefully closed by default. The customers who use ‘password’ as their password. The customers who deploy sloppy code that’s riddled with holes. The customers who, frankly, are just human… and who don’t live and breathe security in the same way that at least someone inside the data centre probably does.

There are plenty of checks, balances and procedures in place to ensure that the idiocy of customer A cannot impact upon the services used by customers B, C, and Z, but what can the data centre do to protect customer A from themselves once they start over-riding default settings and policies?

Maybe, you might say, we should leave customer A to their own devices? If they want to open themselves up to hackers then let them.

The problem, of course, is that Cloud Computing is still pretty new. There are plenty of critics and pundits itching to break the news that “Sun’s Cloud,” “Amazon’s Cloud,” “Microsoft’s Cloud,” or “Google’s Cloud” is clearly not to be trusted because some customer of that Cloud got hacked. It wouldn’t be news if some small startup no one has ever heard of was hacked. It most certainly would be if they were hosted on EC2, unfair as that might seem.

“Amazon Cloud insecure,” the headlines would scream. Werner Vogels could argue forever that the customer ignored safeguards and contravened best practice, but who would be listening? The stock would tank, IBM and VMware would subtly massage their marketing collateral to emphasise their on-premise innovations and downplay the new-fangled Cloud stuff they’ve been talking about in recent months.

So, I wonder, which will be the first big Cloud provider to turn the tables on the customer? Sure, Cloud providers will still be measured on how secure they are… but maybe they’ll start asking questions about how secure their potential customers are, before letting them in the door. Health metaphors might be used, arguing that those without the necessary immunisations and vaccinations put innocent third parties at risk. In talking it through with Ace he suggested a motoring metaphor, pointing out that manufacturer and dealer warranties are void if the customer doesn’t do their part in ensuring that the car is properly maintained and regularly serviced.

It could actually be quite an easy proposition to sell to many current and potential customers; and maybe you could even provide discounts to those who scored highly in some notional assessment of their securedness.

What would such a relationship between customer and provider look like, would it divert the heat from the service provider when things beyond their control do go wrong, and who is going to make this move first?

Maybe, as the Cloud gets big enough to be serious business, the days of simply letting anyone with a credit card into the data centre are numbered?

Related articles by Zemanta

• The Cloud Isn’t Safe?! (Or Did Black Hat Just Scare Us?) (readwriteweb.com)
• The Three Biggest Tech Barriers to Cloud Computing (java.sys-con.com)
• Microsoft’s Ozzie Says Cloud Services Will Yield Lower Margins (businessweek.com)
• The tech jobs that the cloud will eliminate (computerworld.com)
• SaaS Vendors Target Enterprises Using Private Clouds (cloudave.com)
• Novell aims to tighten cloud security (news.zdnet.com)
• Unisys Looks to Safely Move Business Apps to the Cloud (techcrunchit.com)
• Security Guidance for Critical Areas of Cloud Computing (elasticvapor.com)
• Shaking that false sense of (IT) security (news.zdnet.com)