IBM's Analysis is Correct

From my experience with some major western corporations I would say IBM's opinion is correct. I am a software engineer with a CS education; I know the whole spectrum of security technologies and security practices. I also know the shabby state of corporate IT in many small, medium and big companys, public or private.

In the end, managers do not want to spend time and money on anything which could be called Proper Security. They do indeed spend more on coffee and juice than they are ever willing to spend on their own IT security.

In many cases software is simply too complex to be properly configured and secured - Lotus Notes being a prominent example.

A large financial corporation I worked with found it "too expensive" to have anything like a proper patching policy for their employees' PCs. The rationale was "that we created the PC image thirteen months ago and so you have the patch level of thirteen months ago for firefox, java and some more non-microsoft products. Certainly we will not give you admin rights to do it yourself. This is corporate policy.".

Looking at "Software As A Service"-Style cloud vendors like Salesforce and Google (apps), they do indeed have quite strong incentives (read: funding, staffing) to "do security properly". Security is part of their "core business" and not just part of that "support function IT".

A single highly competent (read: expensive) security expert can secure millions of Salesforce users, while an inhouse-system will never get that attention.

So far Theory. Whatabout empirical results ?

Google Mail (which nicley fits the SaaS cloud definition) has been once partially "owned" by hackers from that asian country, if Google is to be believed. But during the same timeframe, dozens of other companies of much smaller user populations have been "owned". NYSE and Rolls-Royce are just two prominent examples.

Some companies had their full password/email/document databases looted and published on the internet. HBGary's emails would have been safer in the Google cloud than on their own systems.

The political angle of all this definitely is an issue, as any cloud provider will be exposed to pressure by it's government. If you can't trust Uncle Sam, use an SaaS provider from a different country. If your life depends on data security, use only SaaS providers of "definitely friendly" countries. This can be a concern in the arms business, as recent events have proven.

To conclude - the cloud is coming and we will trust it the way we trust the telephone system. In other words, there won't be *any* business secret we are not willing to tell the "cloud". No, not "cynic", "realist".