Cloud Security Manifesto

Tuesday, October 02, 2012 » security

When folks consider public cloud hosting, security is one of their biggest hangups. Given this overwhelming demand for more secure products, it’s surprising how few developers take the time to learn and apply security best practices. I have no doubt the market will reward SaaS and IaaS developers who take their customer’s privacy seriously.

People are understandably concerned about ceding control of their data. Frankly, I’m tickled pink customers are holding our feet to the fire on this issue. Software development has had a long history of embarrassing security breaches. We can do better. We must do better. In the über-connected, post-PC era, attacks on cloud apps and services will only become more common, as more and more people live their lives online.

First, we need to promote Computer Security as a first-class citizen, joining the likes of Agile Development, Quality Engineering, DevOps, and Continuous Integration. Each team should have at least one security geek; not necessarily a Bruce Schnier, but someone who is—at a minimum—enthusiastic about the subject. Someone who will champion security best practices in the team, and keep up with the state of the art.

Second, project managers should ensure that security is never compromised in deference to shipping new features. Rock-solid security is a feature. Your customer’s trust is something you can’t afford to loose. In fact, shipping security as a feature of your product is a great way to differentiate your company. If I have to choose between Cloud App X and Cloud App Y, I’m probably going to choose the one built by a team that takes my privacy seriously.

In order to grow the cloud services market, we must build a cloud that people trust. It’s not just about avoiding the inevitable PR and legal nightmares that spring from major security breaches. It’s about embracing and nurturing the implicit trust that people put in our code, in our networks, and in our profession.

After all, they deserve nothing less.