Recently, Andreas M. Antonopoulos wrote an informative piece on Computer World about Cloud Security. In his post, he clearly outlines the mental shift needed on Cloud Security so that auditors and regulators are convinced about the issues of security and compliance.
The crucial takeaway from his post is the following
we are rapidly moving from a location-centric security model to a more identity- and data-centric model
This is the key to the success of cloud computing. I have emphasized several times in this space about the need to rethink how we do security. As pointed out by Mr. Antonopoulos, we need a mental shift from our old fashioned location based security concepts to securing the data, identity, etc.. To emphasize the point about the much needed mind shift, he gives a neat example about how to exert control and ownership on the data without having any control over the infrastructure where it is stored.
An easy example is public key encryption. I maintain ownership of a private key and I control access to it. Usually the private key is stored in a secure location. But from the ownership of the key I can exert control over the information without having to own the rest of the infrastructure.
Once we make the top management and, even, security personnel in enterprises subscribe to this kind of thinking, it will be possible to convince regulators and other bodies of government.
This transformation is not going to happen overnight. It is an evolution with too many players in play. There are customers who need a mind shift on how they perceive about the security, there are the cloud service providers who should offer the highest level of security in their infrastructure and, also, build trust with sensible contracts that will add confidence to the
enterprise customers (a few red and green dots doesn’t cut the slack) and, finally, regulators who should understand the advantages of fast evolving technologies and make the regulations in tune with the technological development. On top of all these things, the cloud technology is still in the early stages and needs to mature further.
Unless we see an evolution on all the above said fronts, it is difficult to visualize a world where public clouds are the only way of life. In fact, even with the evolution of all the above said players, the very fact that the world is diverse and the needs are diverse implies that there will always be some need for the so called private clouds and internal clouds. I do agree that the economics of public clouds will eventually move more and more customers into the public clouds but the evolution will be slow and not complete. There is no point in arguing if private clouds should exist or not. Rather, we should be focusing on developing better standards for interoperability, security, etc. and let the market forces decide on the evolutionary path of the clouds.
I like this idea and statement. Meanwhile, I am thinking there will be emerging “Virtual Private Cloud”, which will take identity and data centric approach to tranport the packets.
Hi everyone,
I came across a very interesting online summit which is also relevant to this discussion
Cloud Security online summit-http://bit.ly/10zkvC
What?
Industry Thought Leaders will dive into the different security options available across multiple cloud architectures, and case studies and association presentations will further illustrate the security issues facing the cloud today.
Who?
Miranda Mowbray, Hewlett-Packard, Senior Technical Contributor
Jim Reavis, Cloud Security Alliance
Liam Lynch, Chief Security Strategist, eBay
Jinesh Varia, Technology Evangelist, Amazon Web Services
Lee Newcombe, Capgemini, Principal Consultant
Enables vibrant exchange of ideas between Thought Leaders and viewers
Provides Thought Leadership, Best Practices and Case Studies
[..] Obviously, security is an important topic to address, butprogress is slowly but surely made. Governance and how the service evolves over time is the other, is another aspect that needs to be addressed. Some large OEM’s may take the lead and direct their suppliers to attend, but in most situations, we expect a trusted third party to run the service. Obviously, in that case, having a team looking after the evolution of the service, what new functionality is taken in service when, becomes important. Building a community around the service will make the members feel part of a team, which is exactly what you are looking for to establish a successful service. [..]
[..] Obviously, security is an important topic to address, butprogress is slowly but surely made. Governance and how the service evolves over time is the other, is another aspect that needs to be addressed. Some large OEM’s may take the lead and direct their suppliers to attend, but in most situations, we expect a trusted third party to run the service. Obviously, in that case, having a team looking after the evolution of the service, what new functionality is taken in service when, becomes important. Building a community around the service will make the members feel part of a team, which is exactly what you are looking for to establish a successful service. [..]