Bruce Schneier

IT is complicated: it is more like payroll services than like power generation. What this means is that you have to choose your cloud providers wisely, and make sure you have good contracts in place with them. You want to own your data, and be able to download that data at any time. You want assurances that your data will not disappear if the cloud provider goes out of business or discontinues your service. You want reliability and availability assurances, tech support assurances, whatever you need.
The downside is that you will have limited customization options. Cloud computing is cheaper because of economics of scale, and­ — like any outsourced task — ­you tend to get what you get. A restaurant with a limited menu is cheaper than a personal chef who can cook anything you want. Fewer options at a much cheaper price: it’s a feature, not a bug.

2 thoughts on “Bruce Schneier

  1. shinichi Post author

    Should Companies Do Most of Their Computing in the Cloud? (Part 1)

    by Bruce Schneier

    https://www.schneier.com/blog/archives/2015/06/should_companie.html

    Yes. No. Yes. Maybe. Yes. Okay, it’s complicated.

    The economics of cloud computing are compelling. For companies, the lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits. Computing is infrastructure, like cleaning, payroll, tax preparation and legal services. All of these are outsourced. And computing is becoming a utility, like power and water. Everyone does their power generation and water distribution “in the cloud.” Why should IT be any different?

    Two reasons. The first is that IT is complicated: it is more like payroll services than like power generation. What this means is that you have to choose your cloud providers wisely, and make sure you have good contracts in place with them. You want to own your data, and be able to download that data at any time. You want assurances that your data will not disappear if the cloud provider goes out of business or discontinues your service. You want reliability and availability assurances, tech support assurances, whatever you need.

    The downside is that you will have limited customization options. Cloud computing is cheaper because of economics of scale, and­ — like any outsourced task — ­you tend to get what you get. A restaurant with a limited menu is cheaper than a personal chef who can cook anything you want. Fewer options at a much cheaper price: it’s a feature, not a bug.

    The second reason that cloud computing is different is security. This is not an idle concern. IT security is difficult under the best of circumstances, and security risks are one of the major reasons it has taken so long for companies to embrace the cloud. And here it really gets complicated.

    On the pro-cloud side, cloud providers have the potential to be far more secure than the corporations whose data they are holding. It is the same economies of scale. For most companies, the cloud provider is likely to have better security than them­ — by a lot. All but the largest companies benefit from the concentration of security expertise at the cloud provider.

    On the anti-cloud side, the cloud provider might not meet your legal needs. You might have regulatory requirements that the cloud provider cannot meet. Your data might be stored in a country with laws you do not like­ — or cannot legally use. Many foreign companies are thinking twice about putting their data inside America, because of laws allowing the government to get at that data in secret. Other countries around the world have even more draconian government-access rules.

    Also on the anti-cloud side, a large cloud provider is a juicier target. Whether or not this matters depends on your threat profile. Criminals already steal far more credit card numbers than they can monetize; they are more likely to go after the smaller, less-defended networks. But a national intelligence agency will prefer the one-stop shop a cloud provider affords. That is why the NSA broke into Google’s data centers.

    Finally, the loss of control is a security risk. Moving your data into the cloud means that someone else is controlling that data. This is fine if they do a good job, but terrible if they do not. And for free cloud services, that loss of control can be critical. The cloud provider can delete your data on a whim, if it believes you have violated some term of service that you never even knew existed. And you have no recourse.

    As a business, you need to weigh the benefits against the risks. And that will depend on things like the type of cloud service you’re considering, the type of data that’s involved, how critical the service is, how easily you could do it in house, the size of your company and the regulatory environment, and so on.

    Reply
  2. shinichi Post author

    Security in an Age of Catastrophic Risk

    by Bruce Schneier

    https://www.rsaconference.com/events/us15/agenda/sessions/1622/security-in-an-age-of-catastrophic-risk

    In cyberspace and out, we’re increasingly confronting extremely-low-probability, extremely-high-damage attacks. Protecting against these sorts of risks requires new ways of thinking about security; one that emphasizes agility and resilience, while avoiding worst-case thinking.

    https://youtu.be/WPdWg8YtL44

    **

    Reply

Leave a Reply

Your email address will not be published.