Wait, am I saying that "the cloud" is secure and that we can migrate all of our data and apps and never worry about security again? Of course not. If that were the case, I'd be out of a job. I'm saying that when it comes to cloud security, most of us are focusing our efforts and attention on the wrong problems.
Every week, countless hours are spent in enterprises everywhere trying to determine whether Dropbox is more or less secure than Box, or on sending painfully long and detailed questionnaires to cloud email providers to assess risk. Is it important to assess the security processes, procedures, and infrastructure of cloud app vendors? Absolutely. In today's world where anyone with some basic coding skills and a credit card can fire up a new "cloud app" on AWS in a matter of days, it is absolutely necessary to vett your vendors and understand how your data is being protected. But that doesn't mean you should assign a task force and spend months agonizing over whether Google Apps is more secure than Office 365.
According to Jay Heiser at Gartner (Everything You Know About SaaS Security is Wrong, April 24, 2014), "Most organizations are focusing on the wrong risks, concentrating on a relatively small potential for SaaS security failure, and putting too little emphasis on management of their own users and data."
That's spot on. Users and their frequently unmetered access to sensitive corporate data represent a far easier target than data stored at rest in the cloud app vendor's infrastructure. After all, many of these apps make it incredibly easy to sync data to any device (including unmanaged BYOD devices), share data externally, and access anything.
While our users sync sensitive corporate data via one off accounts with weak passwords to unmanaged mobile devices, we continue to fret over whether Workday runs their app from data centers with 3 foot thick reinforced concrete walls and sharks with laser beams attached to their heads!
It's time we reassessed where we're spending our time when it comes to cloud security. Focusing on the biggest vulnerability - our users and our data, and where that data goes - is the place to start.