The ease of getting started with cloud services is a nightmare from a security perspective, he suggested. People on the business side of an organisation can simply sign up and put the usually modest charges on their credit cards, bypassing (though probably not maliciously) the normal security procedures.
"The savings [from using cloud services] are huge," he said, but it's important they engage with the security team to get things right.
He relates the story of a large Australian retailer that started using Salesforce.com because it was so cost effective, but someone decided to upload certain data that wasn't needed for the intended use, and that action was in breach of the company's own security regulations. Once the security team found out, the data was removed.
Mr Durbin suggests that business people tend to buy cloud services as they would buy consumer goods: most go out and buy the first fridge that looks about right, and only a few research the market carefully. Cloud suppliers, he said, should be treated like any other outsourcer.
How much trouble you should go to and the standards you should expect from providers depend on the importance of the project and the sensitivity of the data. In order to balance agility and flexibility with security, Mr Durbin suggests the following four points are especially important.
2. Agree with them what degree of security is needed for the project. It may be minimal, it may be complex, or it may be somewhere in between.
3. Decide how to validate the provider's security claims. An operator that applies a high level of physical security probably won't let you onto their premises to make your own checks, so you may need to rely on third-party certifications. If you're storing corporate data, you probably can't take the provider's word that its systems are secure.
4. Agree termination terms. "Make sure you get all your data back" when the relationship ends. Mr Durbin related an example of an organisation that stored all of its customer data in a cloud system, but when the contract ended it couldn't retrieve the data because "that wasn't part of the agreement."
"The only time you've got any control is on the way in," he warns: the balance of power shifts to the provider once you have signed a contract.
He also suggests thinking carefully about the price being charged: "There's often a clue in the price - it's cheap for a reason." While that may be fine for some purposes, it is not in other situations. For example, a small business could probably lose access to its CRM system for a couple of hours and hardly notice. But if a bank's ATM network went down for a similar period, that would be considered a serious problem.
Mr Durbin suggests it is easier to validate the security of an IaaS provider providing you ask the right questions. But SaaS is less tangible (much more of the total system is controlled by the provider, with little or no visibility for the client).
(The executive summary of the ISF report 'Driving out the seven deadly sins of cloud computing' is available here.)