Did I just use a tactic to get you to click on this? Maybe. It sure is a punchy headline. I bet it stirs up some emotion on both sides of the transaction: cloud providers that are tired of working with auditors and security professionals that are tired of explaining to business analysts why regulated data can’t live inside a public cloud.

I spoke at the North Texas Cloud Security Alliance chapter last Friday, and I had a great question from the back of the room. Paraphrasing, if security is a requirement for certain use cases, why do public cloud providers sell services without security controls?

the breach!, by finna dat

Man, that is a question I wish more people would ask. There are two main reasons for this.

  1. The economics of cloud computing break down a bit when you add lots of security controls (significantly if it is poorly designed).
  2. Because cloud providers can compete just fine without them.

Let’s unpack number one first. If we are just leasing capacity, we can do that relatively cheaply because we don’t need to spend tons of money on controls, auditing, or logs. In fact, the onus should be on the consumer of the service to build some level of control into the application to protect workloads. That doesn’t always work because administrators of cloud providers could manipulate resources in ways that would compromise the security of the workload. To fully realize the level of security built into these systems, we need to add a number of controls that can be audited and reported. Unfortunately, those controls cost money and require additional resources to effectively deploy in a manner they can be audited. Now what once was $0.05/compute-hour becomes $0.50/compute-hour, and the finances derail (understand those numbers are fictional, but you get the point).

To explain the second point, I want to reference some great insight by O’Toole and Vogel (2011) as they compare companies that focus on sustainability and conscious capitalism with those that do not. As long as it is not the only business model, both will exist (p. 66). If we apply that same concept to cloud providers, as long as they can make money without security controls, they will continue to pursue a non-security friendly business model. So why do they shun security?

Because they can!

Will a small business owner be able to move Google away from their  unbelievably favorable contract terms? Probably not, but larger companies that make demands of cloud providers will end up creating a market where security controls are valued, and not considered a one-off. Security should be consumed transparently. Business users typically don’t know when they need certain controls for their applications, so they will focus on the economics instead of the audit-ability. A better option would be for companies to build a suite of options for their business users by sole sourcing with one cloud provider. They could easily dictate the controls needed for any service, and build that into the price. With some other information security controls like DLP or deep packet inspection, security departments can bolster their ability to rein in unauthorized cloud usage while providing a valuable service to their business users.


References (I’ve been writing a bit in APA style lately, so figured I’d practice it here):

O’Toole, J., & Vogel, D. (2011). Two and a half cheers for conscious capitalism. California Management Review, 53(3), 60-76.

This post originally appeared on BrandenWilliams.com.