Over on the Alert Logic blog the question is asked: “Is Data Safer on Premise or in the Cloud?”. Unfortunately there is no simple yes or no answer. The only answer to this question is it depends. The point of the Alert Logic post, however, is not to convince you to move all of your infrastructure into the cloud but rather to convince you to use Alert Logic’s SaaS application which is conveniently located where….you guessed it, in their datacenter.

Alert Logic mentions the SAS 70 Type II audit standard that, based on the few that I have reviewed, are very subjective and a tad fluffy when it comes to how the results are measured. But hey, clouds are supposed to be light and fluffy right? I like the idea of SAS 70 audits more than I actually like the results generated by them. I’m not saying you should completely disregard a SAS 70 Type II audit when a vendor hands it to you but rather use it as a springboard for deeper questions about the company background, monitoring practices, information and communication systems, and how the results of the testing were generated (and can they be reproduced).

The title of the Alert Logic blog post was what initially made me open it up in my RSS reader. I was a little disappointed that it was more of a product pitch than a debate on cloud vs. premise. When I say that the answer to that question is it depends…well, it does. The average small to medium business typically does not have the capital, or experienced personnel, to implement a true security management program AND implement/maintain the required technical controls to enforce the policy. This is where cloud security has the opportunity to shine.

Positioning moving your datacenter to the cloud under the guise of “increased security” won’t fly with me until someone can take my hand and walk me down to the proposed new home for my datacenter. I want to see, with my own eyes, the network, host, physical, and operational security capabilities, policies, and procedures that my service provider will follow. That might ease my mind but it will certainly take a lot of convincing to make me believe that you can meet the following equation:

(cloud solution security + cost savings) > (my current security)

Justin Foster posted an interesting article entitled “Defense in the Deep End” where he talks about what technical controls he would use, and where he would put them, if he had an unlimited budget. Although I agree with most of his selections, his chart can be seen here, there are a few areas that I would continue to invest in:

1. Anti-phishing, URL filtering, and Threat Protection – Let’s bundle this all up into a category called Anti-malware. If I had an unlimited budget, why wouldn’t I consider installing these technologies on my workstations, laptops, AND servers? How often do admins connect directly to the Internet from a server to patch their systems, install troubleshooting applications, and the like? Why not add an extra layer of protection for your servers?
2. Hard Drive Encryption – Let’s encrypt hard drives on laptops, as they’re mobile, but let’s also encrypt hard drives on the workstations that also work with sensitive information and on the servers that actually store the sensitive information. I won’t even get started on phones and handsets.
3. VPN – In the next couple of years, more and more people will need to be able to connect to the business to perform quick tasks (i.e. check email, submit time sheet, etc.). These are tasks that can easily be performed from a public terminal using an SSL-enabled VPN solution. Also, perimeter VPN solutions aren’t going away anytime soon (I’m going to choose to believe you just forgot to put a check mark in that box 😉 ).
4. DLP – Why not deploy an inline DLP solution to guard against third-party network-based device DLP ‘attacks’? Put something inline on the network to watch the traffic as it flows out to the Internet?
5. System/Application Log Forwarding (To SI/EM) – Don’t forget to send the logs from your network-based devices, such as firewalls, routers, switches, *IDS/*IPS, proxy, and toasters, to your SIEM/LM device. Correlation is key!
6. File Integrity Monitoring – Yes, servers need to be monitored for changes, but what about laptops/workstations? Wouldn’t you want to be alerted when a registry key is changed at 3am?

All things considered, Justin put a good list forward.