Haze of Cloud Computing
I have written a little in the past on cloud computing and SaaS however as previously stated, have stayed away from doing so for many reasons the primary being that I am an information security professional as opposed to a cloud computing one. Cloud computing is all the rage in business today, so I thought I would write a little more on it 
. Its impact is undeniable as are the debates which rage with respect to what defines or constitutes a “cloud”. In my view of the world, cloud computing is in many respects like modern art; an appreciation of the abstract is necessary in order to derive a sense of meaning otherwise you are just faking it to impress someone. I for one have little appreciation for modern art and readily admit it (to the chagrin of my brother-in-law who is an artist and lover of modern art) though I do like impressionism and nature scenes . However, that doesn’t mean that I don’t use or apply abstract thought to concepts which require it (it just means I like pictures and paintings which more often than not look like something though I am evolving in this area too).
Now back to the cloud. I think cloud computing is in many senses like modern art. To begin with there is no definite shape, size, context, hue, flow, or tone associated with it – in other words no standards, rules by which to be judged against, or measured up to. The asymmetrical is accepted alongside the symmetrical; there is no right or wrong way just different ways. This, I think, will not change until formal standardization occurs in that space. When will this occur? Who is to say. Though “cloudies” and security strategists’ alike pontificate on the implications associated with cloud environments, no one seems to have a solid model for standardization. I maintain that much of the ‘cloud’ services or infrastructures already exist in one form or another as ‘clouds’ in data and telecommunications environments are not new. Cloud computing is not my forte as I have pointed out before – information security is. As such, I default to people such as Chris Hoff (all hail the Hoff!) in areas related to the cloud or Nick Selby as they have both written voluminous amounts on the topic.
My personal feelings are that cloud based solutions, like any infrastructural solution, need to meet minimum criteria from an information security perspective that compliments business need and performance rather than hinders them. Tall order? Perhaps. Impossible? I think not. Service Level Agreement (SLA) nightmare? Maybe, just maybe. Many people quip and wax ecstatic about cloud computing services without taking the time to digest what they mean to a business and its data. Whether or not they are qualified to speak in depth and at length are debatable but nonetheless, many folks are out there doing just that. In some respects, it does not matter so long as there is an audience willing to listen. It is for those instances and audiences specifically, which I have constructed today’s piece, so enjoy!
Clouds are nebulous. Some of them take on a cumulus form, drifting throughout the skies in comfortably billowing capacities. However, these are not the clouds we are looking for (I apologize in advance for the awesome opportunity to inject Star Wars humor). Our clouds are earth bound (let us not introduce the role of satellite communication into this post thank you), and as such, terrestrial and man-made. Are there challenges associated with cloud computing? Yes, I believe there are and would go as far as to say that even the most astute “cloudies” would agree that it is not all champagne wishes and caviar dreams in the land of cloud computing services. Of course there are challenges, to assert otherwise would be intellectually dishonest and would likely brandish the party asserting there were not challenges as a neophyte who should not be trusted (you know who you are and you know we’re watching you!). Some of the challenges associated with cloud-based services are realistic than others. Examples of these areas of concern stem from the following:
- Trust and integrity of the cloud itself and the services it’s delivering and data it’s accommodating
- Trusting the integrity of the solution, the provider to offer a compelling, cost efficient tenable solution that meets the needs of the client while demonstrating value. Not exactly a trivial concept for the provider of the solution or the consumer.
- Segregation of data is another area that represents challenges . It is quite easy to say that that data is segregated however, what measures are being taken to convince current and prospective subscribers? Is that my database or yours? I think you’re .ppts got mixed up with my .pdfs in his home directory (like a bad laundry story)
- Identity – I am simply not going to say anything about identity other than this, in my mind is paramount to the success of these types of solutions on the whole – cradle to grave identity management and assurance. As more and more diverse types of applications are moved to the cloud thus providing user bases with more options, the need for identity management and assurance will only grow.
- Confidentiality and Privacy – It goes without saying that any service delivered in a cloud or on the ground where other people’s data and personal information are potentially at risk, requires the utmost in thought being given to confidentiality and privacy. Regulatory & governance bodies be damned! This should always be part of the equation and never the result of a botched audit.
- Visibility and management – Simply stated, if it is not easy to manage and extract salient, meaningful detail from, it will serve little use to the business. As a result, solutions must demonstrate both in-depth visibility and ease of management in order to prove useful to the client. Visibility and management should be given a great deal of thought by providers should they desire to be in business for the long term. Suspend, if you will, the knowledge of technologies such as web-based portals for a moment and ask yourself the following: In the absence of that sort technological solution, how can visibility & manageability be achieved? If you cannot answer it and your provider does not have a solid answer I would keep shopping.
- Portability and interoperability – Does it follow my staff and all of my employees wherever they or I, may find them? If it doesn’t, shouldn’t it? Remember, this is especially compelling in large-scale enterprise environments especially those considering making a move towards cloud based security solutions. Were I in that position, I would want something that followed my employees and me and met our needs whether we were sitting in the office, the lobby or Starbucks with no VPN connectivity. One key element that both providers and prospective subscribers must take into consideration is that of portability especially given that the introduction of services of this type are often made in order to suspend and decommission more traditional ones. Interoperability – the ability to interoperate and co-exist with other applications and systems – those found to be native on a given enterprises systems or perhaps even other hosted “cloud based” solutions. What steps are being made to ensure that interoperability exists and can be guaranteed for the prospective subscribers.
- Reliability and resiliency offer up other areas of concern and consideration — To what degree do the solution offer guarantees around reliability and resilience of the solutions in question? As there is no ubiquitous standard speaking to this, it is paramount to the successful adoption of services of this type that all parties endeavoring to adopt these types of services inspect what they expect.
- Governance and compliance — Last but certainly not least, is the shadowy phantom of governance and compliance. Like the ghosts of Christmas’ past, present and future, these specters haunt IT and Security Management alike, chasing them down like Ebenezer Scrooge through the streets of London on a wintry December night. Like reliability and resiliency, how are these entities defining and thusly proving compliance (for what could be a myriad of different regulatory and compliance needs and environments on behalf of their prospective customers)?
Having said all that, I have no trouble at all believing that services will continue to be stood up in haphazard fashion while some will take the time to properly design their environments to provide the most optimal environments for their customer bases. The future should prove interesting with respect to cloud-based solutions, let us just hope there remains always a silver lining.
Comments
Leave a Reply
Ed Mahoney on 11.17.2009
I like that you put “trust” first, whether or not it was intentional. I think reputation scoring will evolve into one of the standards for defining Cloud solutions – from a security perspective anyway.