Recently, Andreas M. Antonopoulos wrote an informative piece on Computer World about Cloud Security. In his post, he clearly outlines the mental shift needed on Cloud Security so that auditors and regulators are convinced about the issues of security and compliance.
The crucial takeaway from his post is the following
we are rapidly moving from a location-centric security model to a more identity- and data-centric model
This is the key to the success of cloud computing. I have emphasized several times in this space about the need to rethink how we do security. As pointed out by Mr. Antonopoulos, we need a mental shift from our old fashioned location based security concepts to securing the data, identity, etc.. To emphasize the point about the much needed mind shift, he gives a neat example about how to exert control and ownership on the data without having any control over the infrastructure where it is stored.
An easy example is public key encryption. I maintain ownership of a private key and I control access to it. Usually the private key is stored in a secure location. But from the ownership of the key I can exert control over the information without having to own the rest of the infrastructure.
Once we make the top management and, even, security personnel in enterprises subscribe to this kind of thinking, it will be possible to convince regulators and other bodies of government.
This transformation is not going to happen overnight. It is an evolution with too many players in play. There are customers who need a mind shift on how they perceive about the security, there are the cloud service providers who should offer the highest level of security in their infrastructure and, also, build trust with sensible contracts that will add confidence to the
enterprise customers (a few red and green dots doesn’t cut the slack) and, finally, regulators who should understand the advantages of fast evolving technologies and make the regulations in tune with the technological development. On top of all these things, the cloud technology is still in the early stages and needs to mature further.
Unless we see an evolution on all the above said fronts, it is difficult to visualize a world where public clouds are the only way of life. In fact, even with the evolution of all the above said players, the very fact that the world is diverse and the needs are diverse implies that there will always be some need for the so called private clouds and internal clouds. I do agree that the economics of public clouds will eventually move more and more customers into the public clouds but the evolution will be slow and not complete. There is no point in arguing if private clouds should exist or not. Rather, we should be focusing on developing better standards for interoperability, security, etc. and let the market forces decide on the evolutionary path of the clouds.