Based on recent posts by cloud watchers, it's clear to me that security is on everyone's mind. It's positioned to be the obstacle to widespread adoption of cloud computing, but what's really going on in this space? Let's get a lively dialog going here in Cloud Builder. I invite you to join the discussion. Post your comments, questions, and concerns. Tell me what you're thinking.
Although it's apparent there are many challenges to guaranteeing cloud security, Intel and our partners are providing answers. We've published many white papers on the topic that you can find on this site. You can find them here: www.intel.com/technology/security.
Securing the cloud is on everyone's hot topics list. Recent editorial coverage of industry gatherings (IDF, Bay Area Secure World, and Hosting & Cloud Computing Summit) and surveys of IT managers spurred vigorous and serious discussion about cloud security issues. Here are a few recent posts that caught my attention. The news stories trend to the negative side of security, but it's natural for journalists to highlight their concerns. The good news is that Intel and the top minds in the industry are focused on ensuring cloud security from a number of directions.
IS SECURITY A BARRIER TO ADOPTION?
In a recent PC World survey, IT managers said they are "a bit scared" of cloud adoption. 62% of the executives surveyed have no confidence in cloud security. Respondents worry that third parties (where their data sits) can't enforce security policies.
LACK OF SERVICE LEVEL AGREEMENTS (SLAs)
Joseph Foran says that despite increased spending on network security, data security and compliance in the cloud are still problems. "A vacuum of standards and a trail of data security breaches haven't helped the cause any," he writes. A lack of SLAs and security guarantees can leave your company without any way to prove compliance.
Andi Mann says he distrusts the cloud hype. There's a "fundamental disconnect between cloud computing and mission-critical IT when it comes to ensuring security and compliance," he says. Extensive attention paid to security by internal IT managers is simply not matched by external vendors. He asks, "Who takes care of the intricacies of security management? Who establishes, maintains, and checks audit trails—assuming they are even being recorded in the first place?" He calls for the establishment of "trusted relationships, federated services, third-party monitors, pseudo-clouds, and other solutions" to address the passel of potential problems.
Michael Cobb highlights the importance of encryption. "Because a cloud implementation somewhat blurs the distinction between data at rest, in motion, and in use, data encryption becomes one of the most important defenses." I echo that sentiment in my recent blog "Encrypt the World."
CLOUD SECURITY ISSUES IN DEPTH
For a detailed analysis of possible cloud security problems, read this white paper from the Cloud Security Alliance: www.cloudsecurityalliance.org.
LACK OF STANDARDS AND FRAMEWORK
A new group is attempting to provide a cloud framework. CloudAudit calls it the "A6" or automating audit, assertion, assessment, and assurance via an API. Check out CloudAudit at www.cloudaudit.org.
Everyone is working to secure the cloud. Why? Because the cost savings and elasticity benefits require every IT manager to consider the cloud for at least some services. If isn't on your plate yet, it will be. Just this month, a consortium was formed of 24 service providers, vendors, government agencies, and consultants. They want to make it easier for businesses to compare the security features offered by cloud providers. The Cloud Assurance Metric (CAM) will publish objective, quantifiable measurements drawing from existing standards.