Cyber Security Institute

Wednesday, February 15, 2006

‘Security in the cloud’ is not the way to go

One of the basic philosophies of security is defense in-depth: overlapping systems designed to provide security even if one of them fails.  An example is a firewall coupled with an intrusion-detection system (IDS).  Defense in-depth provides security because there’s no single point of failure and no assumed single vector for attacks.  If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud.  [For email ]They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. 

Smart organizations build defense in-depth: e-mail filtering inside the cloud plus anti-virus on the desktop.  Real-time monitoring and response is what’s most important; where the equipment goes is secondary.

It is for this reason that a choice between implementing network security in the middle of the network—in the cloud—or at the endpoints is a false dichotomy.  An organization had no choice but to put its firewalls, IDSs and anti-virus software inside its own network.  Security would be vastly improved if the major carriers implemented cloud-based solutions, but they’re no substitute for traditional firewalls, IDSs and IPSs.

http://www.computerworld.com.au/index.php/id;1786107200;fp;16;fpid;0