Saturday, February 28, 2009

Security In the Cloud

Yesterday I watched a little bit of the Ustream of "Whose Cloud Is It Anyway" - a round table and meetup in Mountain View. The discussion, while interesting, was a little dry. I actually enjoyed tweets from Christofer Hoff and James Urquhart much more.

Today I ran across a presentation by Dan Kaminsky - a name I hear a lot (mainly on TWiT I believe). His presentation, below - is titled When Irresistible Forces Attack Security In The Cloud. The presentation covers security in cloud computing and has a number of interesting points:
  • "Uncomfortable Fact #6: Virtualization Not Actually Required For Cloud Compromise" -- slide 26
  • Slide 30 -- three classes of private clouds: Fully private, outsourced private and non-secure (i.e.: Amazon's S3)

The enterprise cloud play is the more interesting one to me. I have gotten over my disgust for the marketing hype frenzy by calling it the "cloud" (it also gives many magazines and blogs an avenue for pretend-creative article titles). I'm still looking for a good definition that is 'not' the same as the Internet, or an overall shift in computing architecture. Anyway....time to move on.

Now.... take the Kaminsky presentation and throw on a slew of acronyms provided by the government. Corporations have a number of laws, policies, audits, acts, trade secrets, terms of service, privacy and other things to worry about. The World Privacy Forum held this last week presents a very interesting report: "Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing". I think the report drives home the point that there are many issues and things in cloud computing are still being hashed out. Some interesting findings include:

  • Finding: Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information.
  • Finding: A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider.
  • Finding: For some types of information and some categories of cloud computing users, privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider.
  • Finding: Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information.
  • Finding: The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information.

A Network World article discusses the IDC Cloud Computing Forum. Joseph Tobolski, director for cloud computing at Accenture states "Some people create a list of requirements for security in the cloud that they don't even have for their own data center". Well....maybe they need BETTER requirements for their own data center!! I personally don't think people worry "too much" about security in the cloud ; it is a legitimate concern that any responsible business should question. The good news is that Cloud providers have the chance to do security right, and provide a more secure environment than the small/medium business could have done for itself. The bad news: it's early yet, and that completely secure (if there is such a thing) environment is not built yet.

When Irresistable Forces Attack

No comments: