SAN FRANCISCO -- Nevermind Microsoft's awkward "Scroogled" anti-Google campaign. When it comes to cloud security, the two giants are practically best buds.
At the annual RSA Conference held at the Moscone Center here on Wednesday, Microsoft Chief Information Security Officer Bret Arsenault and Google Director of Security for Google Apps Eran Feigenbaum explained their stances on cloud security at a panel also featuring noted independent security expert Bruce Schneier and Verizon's data breach risk team expert, Wade Baker.
Schneier said that the way to make the cloud more secure depends entirely on the ability of companies to build strong bonds of trust.
"Fundamentally, 'cloud' means to me your data on somebody else's hard drive. Do I trust that other legal entity with my data on their hard drive?" Schneier said. In some ways, this is no different than the levels of trust that we have had to have through the years. Vendors can screw our security, make bad decisions, lie to us."
It didn't take long for panel moderator John Pescatore to take the idea of trusting a cloud vendor his stage-setting to its logical conclusion, at least in terms of the panelists' backgrounds. Would Microsoft ever trust Google enough to host its data on Google's servers? Would Google do the same?
Arsenault and Feigenbaum's stances were so close that they could've given each other a bear hug.
Arsenault responded first, politely saying that as with any other major move, the decision at Microsoft to use Google's cloud services would depend on "business factors."
"We do outsource a number of business components today," Arsenault said, but he reminded the audience that, "we always have a motivation to use our own software first."
Feigenbaum was a bit more forthcoming. "We do use some competitors' cloud [systems] today. Some of their services are better than ours, and some of them use ours," he said.
He embraced Schneier's emphasis on trust. "It comes down to trust," Feigenbaum said. He defined the problem of getting businesses large and small to trust the cloud as one requiring technical and contractual explanations of both security and privacy commitments.
Schneier said those commitments will become more formalized as the certification process becomes more rigid. As bigger businesses adopt more cloud-based tools and trust in their security, smaller business and individuals will follow suit.
"We fundamentally blindly trust," he said. "We trust licensing, we trust litigation, there's a lot of systems we have for when trust fails. All these critical apps are a very human system," and thanks to the cloud, computing is moving back toward trust, Schneier said.
The panelists did acknowledge some limitations amid their otherwise enthusiastic endorsement of the cloud.
"It's not an all-or-nothing strategy," Feigenbaum said. He described three kinds of data that most companies produce: public data, sensitive data, and top secret data. The first two, he said, are acceptable for the cloud, but things like system requirements and public infrastructure should be kept off the cloud for now.
Potential data guidelines notwithstanding, the panelists also agreed that the onus is on companies that offer cloud services to make them more trustworthy.
"What did it take us to use credit cards? Very little liability for me," Google's Feigenbaum said. "What's the equivalent for the cloud?"