RSA's Coviello: Cloud Computing Not Secure Enough
Cloud-based services are being rolled out without enough attention being paid to securing these services and the information they handle. That was the finding of a recent study commissioned by RSA Security.
While the report's findings are alarming, there is still time for providers of these services to address the problem, said Art Coviello, executive vice president at EMC and president of RSA Security. The key is to look at security as an integral part of the service and not as an add-on feature, he said.
Coviello recently sat down with IDG News Service to discuss the security of cloud-based services. What follows is an edited transcript of that conversation:
IDG News Service: Were you surprised by the report's findings?
Art Coviello: It was startling to me that a lot of this cloud computing was being done with security left behind, because I viewed cloud computing as an opportunity to really change the way people approached security. In essence, you're rebuilding the information infrastructure from the ground up. It'll be years before all these legacy systems get moved over, either to internal, private clouds or external clouds, or some combination thereof. Ultimately, that's where it's headed and because of that, because we have knowledge and forethought of all the issues we've had in security over the last decade and a half.
One would think that we've learned our lesson about building security in. Having said that, it's still very early days. Although I find the research alarming, I don't necessarily find it conclusive that this is the way it will turn out.
IDGNS: Is part of the problem that vendors aren't necessarily liable for all of the risk associated with offering these services? Would the services be more secure if they had to fully assume all of that risk?
Coviello: It could be if the person that purchases these services are not careful. But it's hard to imagine that any responsible provider of these services would deliberately make their offering insecure. Woe unto them, they'll be out of business pretty quick. The one thing you can rest assured of is if there's any security breach in one of these services, someone is just going to take their infrastructure and go elsewhere. It's a lot easier to do that in a cloud environment than it might be if you've outsourced your infrastructure.
IDGNS: How does a company know that a cloud-computing provider offers a secure service?
Coviello: Enterprises have the wherewithal and the skill to evaluate the cloud provider's capability and their capability in security, and they would be stupid not to do a thorough investigation because they're outsourcing everything.
EMC
Receive the latest security news as it breaks.
