The popularity of cloud services continues to grow. The key players are companies like Google, Amazon, and Microsoft who are each spending a ton of money improving and promoting their services.
For companies who do not have the ability (or desire) to build and support their own web-based applications, a cloud-based architecture offers many advantages, including:
- Integrated database services
- User authorization and permission services
- Pay for what you need
However, there are a number of risks with a cloud-based application, including:
- Large, visible, popular systems can attract malware attacks from bad guys.
- Proprietary services make it difficult to change cloud providers.
- Little visibility into how the internal services actually work and even less control.
And now there are a number of advocates for anti-malware capabilities in the cloud, including Phil Wainewright’s recent column and John Viega’s latest book “The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know“. Their argument is pretty simple — the threats are in the cloud, so that is where the threat protection should be. Frankly, I think their argument makes a lot of sense.
However, if your company has acquired cloud services from one of the key players — THEY decide what services are available to you. And given the history of these companies and their propensity to build their own capabilities, it is very likely that they would develop their own anti-malware tooling and integrate it into their cloud platforms.
Thus the key question — Would you trust your valuable data and the future potential of your company to a cloud platform provider who has little, if any, history in successfully protecting its users from malware attacks?
I think that this issue has the potential to severely impact the growth of cloud-based computing, but will probably be ignored until the first major breach of a cloud — then the lid will come off and the finger-pointing will begin.
What do you think?