The recent release of the Forrester Security Report on Cloud Security and Risk has determined that Amazon Web Services (AWS) is the winner. Believe it or not, this is quite a dangerous statement and could negatively affect the security of most small businesses.
I try to explain database and network security to people with analogies and recounting past mistakes of several corporations. I’ve had a fair amount of success in getting my meaning across, but often the ease at which people accept an “easy” solution is often too much to compete with basic logic.
An analogy that I find people understand is this: “How fast do you have to be going if you want to out run the bear that is chasing you?”. The answer is simple: “Just a tiny bit faster than the guy running next to you.”. Unfortunately, people tend to think of this externally, in that they only need to make a product that is slightly better than the competition. Any additional investment must be focused on making production and maintenance cheaper. What they neglect is the application of this policy internally.
We must understand that a “System” is more than just a server or an application, it is a co-dependant conglomeration of parts. From the choice of server, the provider, the developers, the maintenance staff, the IT support, even marketing, sales, customer support, accounting, managers, and even vendors.
A breach in security can happen at any level, and funding is always limited. We need to assume a relative budget for security and apply it most efficiently to bring security to the maximum level possible. Spending millions of dollars to move servers to more secure servers is a waste if you’ve got your accounting staff emailing excel sheets of financial information through their Gmail accounts.
Obviously, if you are developing a new system, you might read the Forrester Security Report and make your provider decision there. However, if you already are using Azure or another provider, you need to determine if you really need that additional security and whether your budget is more effectively spent elsewhere. Quite often
When determining security policy, it is essential that all facets of the business be taken into account and risk assessment be applied to budget. Only then, once a true budget has been determined, should one pick up the Forrester report.