Business Issues -> Change
By: Dana Gardner, Principal Analyst, Interarbor Solutions
Published: 17th August 2009
Copyright Interarbor Solutions © 2009
Welcome to a special podcast discussion coming from The Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto. This podcast, part of a series from the July 2009 event, centers on cloud computing security.
Much of the cloud security debate revolves around perceptions. ... For some cloud security is seeing the risk glass as half-full or half empty. Yet security in general takes on a different emphasis as services are mixed and matched from a variety of internal and external sources.
will applying conventional security approaches and best practices be
enough for low-risk, high-reward, cloud computing adoption? Most
importantly, how do companies know when they are prepared to begin
adopting cloud practices without undo security risks?
Here to help better understand the perils and promises of adopting cloud approaches securely, we welcome our panel: Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Chris Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; Dr. Richard Reiner, CEO of Enomaly; and Tim Grance, program manager for cyber and network security at the National Institute of Standards and Technology (NIST).
The discussion is moderated by me, BriefingsDirect's Dana Gardner.
Here are some excerpts:
There are security concerns to cloud computing. Relative to the
security concerns in the ideal enterprise mode of operation, there is
some good systematic risk analysis to model the threats that might
impinge upon this particular application and the data it processes, and
then to assess the suitability of different environments for potential
deployment of that stuff.
There are a lot more question marks
around today's generation of public-cloud services, generally speaking,
than there are around the internal computing platforms that enterprises
can use. So it's easier to answer those questions. It's not to say the
answers are necessarily better or different, but the questions are
easier to answer with respect to the internal systems, just because
there are more decades of operating experience, there is more
established audit practice, and there is a pretty good sense of what's
going to be acceptable in one regulatory framework or another.
The first thing that you need to know is, "Am I going to be able to
deliver a service the same way I deliver it today at minimum? Is the
user experience going to be, at minimum, the same that I am delivering
Because if I can't deliver, and it's a degradation of
where my starting point is, then that will be a negative experience for
the customers. Then, the next question is, obviously, is it secured as
a business continuity? Are all those things and where that actual
application resides completely transparent to the end user?
Brunette: Is cloud computing more or less secure than client-server?
I don't think so. I don't think it is either more or less secured.
Ultimately, it comes down to the applications you want to run and the
severity or criticality of these applications, whether you want to
expose them in a shared virtualized infrastructure.
... When you
start looking at the cloud usage patterns and the different models,
you're going to see that governance does not end at your organization's
border. You're going to need to understand the policies, the processes,
and the governance model of the cloud providers.
It's going to
be important that we have a degree of transparency and compliance out
in the cloud in a way that can be easily consumed and integrated back
into an organization.
of the interesting notions of how cloud computing alters the business
case and use models really comes down to a lot of pressure combined
with the economics today. Somebody, a CIO or a CEO, goes home and is
able to fire up their Web browser, connect to a service we all know and
love, get their email, enjoy a robust Internet experience that is
pretty much seamless, and just works.
Then, they show up on
Monday morning and they get the traditional, "That particular component
is down. That doesn't work. This is intrusive. I've got 47,000 security
controls that I don't understand. You keep asking for more money."
Cloud has a vast potential to cause a disintermediation, just like in
power and other kinds of industries. I think it may run eventually
through some of these consulting companies, because you won't be able
to get as rich off of consulting for that.
In the meantime, I
think you're going to have ... people simply just roll their own
[security]. Here's my magic set of controls. It may not be all of them.
It may just be a few of them. I think people will shop around for those
answers, but I think the marketplace will punish them.
... If you look at a lot of the cloud providers, we tend, in many
cases, to fight some standards, because, in reality, we want to have
competitive differentiators in the marketplace. Sometimes, standards
and interoperability are key ones, sometimes standards create a lack of
our ability to differentiate ourselves in the marketplace.
on the security side, I that's one of the key areas that you definitely
can get the cloud providers behind, because, if we have 10,000 clients,
the last thing we want is to have enough people sitting around taking
the individual request of all the audits that are coming in from those
... So, to put standards behind those types of
efforts is an absolute requirement in the industry to make it scalable,
not just beyond the infrastructure, performance, availability, and all
those things, but actually from a cost perspective of people supporting
and delivering these services in the marketplace.
... One of the other things I'd point out is that, it's not just about
the cloud providers and the cloud consumers, but there are also other
opportunities for other vendors to get into the fray here.
of the things that I've been a strong proponent of is, for example, OS
vendors producing better, more secured, hardened versions of their
operating systems that can be deployed and that are measurable against
some standard, whether a benchmark from the Center for Internet Security, or FDCC in the commercial or in the federal space.
You may also have the opportunity of third parties to develop security-hardened stacks. So, you'd be able to have a LAMP stack, a Drupal stack,
an Oracle stack, or whatever you might want to deploy, which has been
really vetted by the vendor for supportability, security, performance,
and all of these things. Then, everyone benefits, because you don't all
have to go out there and develop your own.
... At the end of the day, if you develop and you deliver a service ...
and the user experience is positive, they're going to stay with the
On the flip side, if somebody tries to go the cheap way
and ultimately delivers a service that has not got that high
availability, has got problems, is not secure, and they have breaches,
and they have outages, eventually that company is going to go out of
business. Therefore, it's your task right now to figure out who are the
real players, and does it matter if it's an Oracle database, SQL
database, or MySQL database underneath, as long as it's meeting the
performance requirements that you have.
now, because everything is relatively new, you will have to ask all the
questions and be comfortable that those answers are going to deliver
the quality of service that you want. Over time, on the flip side, it
will play out and the real players will be the real players at the end
of the day.
Hoff: ... It
[also] depends on what you pay for it, and I think that's a very
interesting demarcation point. There is a service provider today who
doesn’t charge me anything for getting things like mail and uploading
my documents, and they have a favorite tag line, “Hey, it’s always in
beta.” So the changes that you might get could be that the service is
no longer available. Even with enterprise versions of them, what you
expect could also change.
... In the construct of SaaS, can that provider do a better job than you can, Mr. Enterprise, in running that particular application?
comes down to an issue of scale. More specifically, what I mean by that
is, if you take a typical large enterprise with thousands of
applications, which they have to defend, safeguard, and govern, and you
compare them to a provider that manages what, in essence, equates to
one application, comparing apples to elephants is a pretty unreasonable
thing, but it’s done daily.
What’s funny about that is that, if
you take a one-to-one comparison with that enterprise that is just
running that one application with the supporting infrastructure, my
argument would be that you may be able to get just as good as, perhaps
even better, performance than the SaaS provider. It’s when you get to
the point of where you define scale, it's on the consumer side or
number of apps you provide where that question gets interesting.
What happens then when I end up having 50 or 60 cloud providers, each
running a specific instance of these applications. Now, I've squeezed
the balloon. Instead of managing my infrastructure, I'm managing a
bunch of other guys who I hope are doing a good job managing theirs. We
are transferring responsibility, but not accountability, and they are
two very different things.
... In almost every case, the cloud providers can hide all of that
complexity, but it gives them a lot more flexibility in terms of which
technology is right for their underlying application. But, I do believe
that over time they will have a very strong value proposition. It will
be more on the services that they expose and provide than the
... The reality is, portability and interoperability are going to be
really nailed to firstly define workload, express the security
requirements attached to that workload, and then be able to have
providers attest in the long-term in a marketplace.
I think we
called it "the Intercloud," a way where you go through service brokers
or do direct interchange with this type of standards and protocols to
say, “Look I need this stuff. Can you supply these resources that meet
these requirements? “No? Well, then I go somewhere else.”
of that is autonomic, some of it’s automated, and some of it will be
manual. But, that's all predicated, in my opinion, upon building
standards that lets us exchange that information between parties.
I don't think anyone would disagree that learning how to apply audit
standards to the cloud environment is something that takes time and
will happen over time. We probably are not in a situation where we need
yet another audit standard. What we need is a community of audit
practices to evolve and to mature to the point where there is a good
consensus of opinion about what constitutes an appropriate control in a
As Chris said, it comes down to open standards. It's important that you
are able to get your data out of a cloud provider. It's just as
important that you need to have a standard representation of that data,
something that can be read by your own applications, if you want to
bring it back in house, and something that you can use with another
provider, if you decide go that route.
Grance: I'm going to out on a limb and say that NIST
is in favor of open, voluntary consensus, but data representation and
APIs are early places where people can start. I do want to say
important things about open standards. I want to be cautious about how
much we specify too early, because there is a real ability to over
specify early and do things really badly.
So it's finding that magic spot, but I think it begins with data representation and APIs. Some of these areas will start with best practices and then evolve into these things, but again the marketplace will ultimately speak to this. We convey our requirements in clear and pristine fashion, but put the procurement forces behind that, and you will begin to get the standards that you need.
We have not received any comments against this entry. Why not be the first?
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761