Security and the Cloud – What Does That Even Mean?
I was chatting with Pete Lindstrom this morning about how difficult it is to frame meaningful discussion around what security and Cloud Computing means.
In my Four Horsemen presentation I reflected on the same difficulty as it relates to security and virtualization. I arrived at separating the discussion into three parts:
Securing virtualization refers to what we need to do in order to ensure the security of the underlying virtualization platform itself.
Virtualizing security refers to how we operationalize and virtualize security capabilities — those we already have and new, evolving solutions — in order to secure our virtualized resources
Security via virtualization refers to what security benefits above and beyond what we might expect from non-virtualized environments we gain through the deployment of virtualization.
In reality, we need to break down the notion of security and Cloud computing into similar chunks. The reason for this is that much like in the virtualization realm, we’re struggling less with security technology solutions (as there really are few) but rather with the operational, organizational and compliance issues that come with this new unchartered (or pooly chartered) territory.
Further, it’s important that we abstract offering security services from the Cloud as a platform versus how we secure the Cloud as a platform…I’ve chatted about that previously.
Thus we need to understand what it means to secure — or have a provider secure — the underlying Cloud platform, how we can then apply solutions from a collective catalog of compensating controls to apply security to our Cloud resources and ultimately how we can achieve parity or even better security through Cloud Computing.
I find it disturbing that folks often have the opinion of me that I am anti-Cloud. That’s something I must obviously work on, but suffice it to say that I am incredibly passionate about Cloud Computing and ensuring that we achieve an appropriate balance of security and survivability with its myriad of opportunity.
To illustrate this, I offer the talking slide from my Frogs presentation of security benefits that Cloud presents to an organization as a forcing function as they think about embracing Cloud Computing. I present this slide before the security issues slide. Why? because I think Cloud can be harnessed as a catalyst for moving things forward in the security realm and used as lever to get things done:
Looking at the list of benefits, they actually highlight what I think are the the top three concerns organizations have with Cloud computing. I believe they revolve around understanding how Cloud services provide for the following:
- Preserving confidentiality, integrity and availability
- Maintaining appropriate levels of identity and access Control
- Ensuring appropriate audit and compliance capability
These aren’t exactly new problems. They are difficult problems, especially when combined with new business models and technology, but ones we need to solve. Cloud can help.
So, what does “securing the Cloud” mean and how do we approach discussing it?
I think the most rational approach is the one the Cloud Security Alliance is taking by framing the issues around the things that matter most, pointing out how these issues with which we are familiar are both similar and different when talking about Cloud Computing. While others still argue with defining the Cloud, we’re busy trying to get in front of the issues we know we already have.
If you haven’t had a chance to take a look at the guidance, please do! You can discuss it here on our Google Group.
In the meantime, ponder this: Valeo utilizing Google Apps across it’s 30,000 users. Funny, I remember talking about CapGemini and Google doing this very thing back in 2007: Google Makes Its Move To The Corporate Enterprise Desktop – Can It Do It Securely?
Check out some of the comments in that post. Crow, anyone?