One of the biggest dilemma facing the customers thinking about Cloud adoption is
their lack of trust on the Cloud security. On the consumer app/services front, I
would say it is not a big issue because the Cloud vendors have a better security
implementation that what consumer users can have in their own machines/servers.
However, it gets tricky on the enterprise front. Enterprises are not all that
comfortable with putting their critical data outside their firewall. My personal
opinion is that Cloud security is as good or as bad as enterprise security. The
biggest issue here is whether you trust your own security team or a third party
providers’ security team. It is more of a trust issue in play with the
enterprises.
However, there are some issues that creep in when you think at the Cloud
scale. When you bring in thousands and thousands of servers together and layer
it with a “fabric” to build a Cloud like architecture, there are bound to be new
security challenges that were hitherto unknown in the traditional model of
computing. Also, there are issues like “malicious intent” crawling in from other
virtual machines running in the same hardware. These issues are important but it
should not be a reason to discard the advantages offered by Cloud Computing.
There are some real dangers, like the ones described above, and there are some
fear mongering, like the propaganda that says implementing security at the cloud
level is difficult. It is important for the users to understand the dangers,
minimize the risks and benefit from the tremendous advantages of doing computing
in the clouds.
This is exactly the kind of problem Cloud Security
Alliance wants to solve. They want to develop best security practices for
vendors so that the potential risks are reduced and, also, educate the users
about security in all forms of computing. As Christofer Hoff puts it, CSA is a
member driven forum to discuss the issues and opportunities for security in the
Cloud Computing space.
Unlike many other vendor only efforts, CSA welcomes members from both the
vendors and the consumers. If you are interested in using the Clouds and want to
play a role in developing a good security model, head over to their site to find
information about how you can participate. CSA will be launched during the RSA
conference in the end of April and will concentrate on issues in the following
areas.
- Information lifecycle management
- Governance and Enterprise Risk Management
- Compliance & Audit
- General Legal
- eDiscovery
- Encryption and Key Mgt
- Identity and Access Mgt
- Storage
- Virtualization
- Application Security
- Portability & Interoperability
- Data Center Operations Management
- Incident Response, Notification, Remediation
- “Traditional” Security impact (business continuity, disaster recovery,
physical security) - Architectural Framework
To keep a tab on their activities, you can follow them on Twitter or join their Linked In
Group. Security is not only a major concern when it comes to Cloud
Computing, it has a potential to turn into an advantage with further
developments in the field. I am glad that efforts are underway to identify
proper security practices and also to educate the users. In fact, educating the
users is as important as the Cloud Security itself. CSA is a good first step and
a much needed effort for the future success of Cloud Computing.
Disclaimer: I am not a hard core security guru. I am just aware of the system
and network security issues from my previous avatar as System Admin. If you are
really interested in understanding further about Cloud Security, I strongly
recommend the blogs of Christofer Hoff and Dan Kaminsky.
