I recently wrote two articles about the growth of cloud computing: The Perfect Storm for Cloud Computing, and Enough Already! Cloud Computing Is Here to Stay. Both articles were written with the intention of concreting the fact that businesses and IT professionals need to begin, now, to develop their cloud strategy. The articles, read by over 23,000 people at the time of this writing, opened a floodgate of comments about the security concerns of cloud computing. So now I am going to address the truths, the untruths, and the fuzzy truths of security in the cloud.

Untruth: The term Cloud Computing Means “Public”

The terms cloud and cloud computing, have been twisted, pulled, stretched and morphed to mean many different things to different people. But a solid untruth is that cloud computing does not mean public. I have read many of the statistics from Gartner and other companies, and when they talk about the cloud, they are talking about private clouds, public clouds, and hybrid clouds. There are other types as well. Many falsely attribute and compare cloud computing to public cloud companies such as Google, Amazon, and Microsoft. Cloud computing does not mean public.

There are a lot of big companies out there that will setup their own private clouds or hybrid clouds. It will be the small- and medium-size business (SMB) space that will be more inclined to move completely to the public cloud, but many will also operate in a hybrid cloud, and a few possibly even a private cloud. So let’s just get that off the table as it is critical to keep in mind, when we are referring to security in the cloud.

Fuzzy Truth: Traditional Network Computing is More Secure

Hackers have been breaking into traditional networks for years. I admit that traditional computing can be made more secure. If you run a company that has a dedicated team of security experts that are monitoring your network 24/7/365 for all exploits and security risks, and this team can take instant steps to secure the network in case of problems, and you have a team that is constantly testing software and updating it to fix security holes, then sure, traditional computing can be more secure. Big organizations do have those kind of resources, but most, especially SMBs, do not.

Reputable cloud solution providers offer those kind of teams, experts, and resources. All of the reports I have read that are closely associated with hackers or security experts say that traditional networks are easier to get into, for the very reasons I mentioned, and these are the ones hackers are targeting. There just are not that many SMB organizations that hire security experts. Lastly, one of the greatest security risks in a traditional network is already on the inside: employees (PDF).

Fuzzy Truth: Cloud Computing is More Secure

Because the term “cloud computing” is so convoluted, I will admit that security in the cloud is a fuzzy truth. The fact is that most reputable cloud companies have an elastic and automated infrastructure backed up by a team of security professionals. This is something that very few organizations have. Their infrastructures are increasingly more complex. In this complexity, though, lies much safety. The complexity makes it difficult for a hacker penetrating a cloud infrastructure to discover its resources and conventions.

Now for the dark-side: Like any industry, there are many newcomers that give the reputable cloud solution providers a bad name. These companies are poorly financed, staffed, and resourced. They are traditionally an IT solution provider who has installed some server in a data center and called it a cloud. They are not security experts, and have poor security measures in place. We will continue to see more of these cloud “trunk-slammers.”

The other elephant in the room is when a public cloud solution provider is hacked, the effect is often more widely felt, or at least has the potential to be more widely felt. (Remember we are talking about security, not outages or loss of data. That’s another topic.) Many organizations are increasingly moving to the cloud, because they recognize that the security they get in the cloud is greater than they can affordably provide themselves, and therefore the risk is acceptable. I am not trying to shorten this topic. There are many theories and fears in many parts of cloud computing that can all be addressed, but suffice it to say that cloud computing security, like traditional network security, is also a little fuzzy.

Truth: Very Little is Private, Get Used to It

I am not saying that one should accept the fact that their private information is being stored somewhere that someone could see. From solution providers to government agencies, I have long accepted the fact that if they want to break my encryption or see something private, they probably can. One report last week talks about a $2 billion dollar data center that the National Security Administration (NSA) is building in Utah, which supposedly has the power to break most encryption algorithms, and eavesdrop on just about everyone. We know that certain governments, such as the U.K.’s, have laws about storing data that passes through the country for a certain amount of time. Many cell phone providers have been caught for embedding code that tracks where people go. Almost everything we do online, and sometimes offline, can be tracked by someone. So if you think that your activities are completely private, you’re delusional. Some of this has to just be accepted, but some needs to be addressed, which leads us to the next truth.

Truth: If You Want to Blame Someone, Blame Yourself

Aaahhhh, accountability — love it or hate it. So, I have covered the need to develop a cloud strategy. We do not all have to become security experts, and we do not all have to become cloud experts either. But we all need to be smart about our actions and thorough about our decisions, especially when it pertains to the cloud. Some of the most anxiety-ridden decisions for IT executives, among many, will be related to cloud computing: Which cloud provider to go with, how much to put in the cloud, when to go to the cloud, etc. The decision to choose a cloud provider. among other decisions, are not ones that should be taken lightly.

About a year ago I was at a conference of IT solution providers. An owner of one provider told everyone about a cloud provider that lost some client data. He went on for 10 minutes about how horrible this company was and how bad their service was, and asked for advice. While I do not excuse the cloud provider, I was amazed that this solution provider did nothing to guarantee that his client was protected. He made the mistake that many have made, and that many will make: assuming “someone else is taking care of it.”

It is your job to ask the deep questions about security that might make certain cloud solution providers sweat. If you do not know what questions to ask, then you need to educate yourself, or hire an expert that does. In the end, if you care enough to not make sure your data is safe and with a reputable company, then you will have to accept the responsibility that comes with that decision.

I did not dive deep into the hundreds of security scenarios that could happen. But it’s clear that it is important to accept that neither security in the cloud — nor out of the cloud — are guaranteed. Not much in life is guaranteed, but by educating ourselves on what cloud computing is, we gain a deeper understanding of its benefits and risks, empowering us to make wiser decisions and to develop a strategy that is right for our organizations. Perhaps that strategy will be to stay away from the cloud. The decision is yours — make a wise one.

Share your thoughts on cloud security truths, untruths and fuzzy truths in the comments section, below.