FOSE Cloud Keynote: Cloud Security – A Business Transformation Nirvana or Security Nightmare?

I attended the cloud conference keynote by Ryan Berg, a Senior Architect for Security Research at IBM. The presentation, titled “Cloud Security – A Business Transformation Nirvana or Security Nightmare?” examined the move towards the cloud and the associated implications and opportunities for security.

Berg began his presentation by looking at the environment in which we now find ourselves. There is a clear move towards the cloud, which means many things to many people. To some people, “cloud” conjures up the idea of salesforce.com, while others think of Apple’s iCloud. Cloud is all of these things, which is part of the reason it’s so complicated to talk about cloud security. While the many well-documented benefits of the cloud are clear, the real challenge is how to realize these benefits AND think about security. Here are some of the conditions in which we find ourselves, each with its own security implications:

• We are more interconnected than ever before: traditional walls that we have relied upon in the past have actually been gone for years. How do we think about security in a world in which the traditional ways we defined our spaces (intranet, extranet, etc.) have disappeared?
• The Level of sophistication is up: Sophistication of attacks is much greater than it once was. However, our ability to understand we are being attacked is also increasing. We now have a greater level of awareness than we once had.
• Everything is everywhere: With the movement of business to new platforms, data exists in a much more complex environment. Depending on whether your data is in a public or private cloud, the responsibility may shift, but the risk always falls on you. You need to be having the right conversations to ensure your cloud delivery model fits your organization’s needs.
• There is a consumerization of IT: The line between personal and professional hours, devices, and data is disappearing. Employees want their IT to work with and for them, not against them.
• There has been an explosion of data: We are growing data more quickly than our ability to manage it. In order to build intelligence on data, we need to be able to build a broader view than that which exists within each data set – cloud can help with this.
• Not all attacks are targeted: Organizations often think no one would want to target them. What they fail to understand is that some groups will simply attack the internet to take what they can get. You don’t need to be specifically targeted to be affected.
• Motivation and sophistication are evolving: competitors and organized crime are going to be a threat as long as there are secrets to be obtained or money to be made. Organizations need to get used to the fact their cloud is actively going to be attacked and that intruders are going to be sitting inside their networks. They need to understand they could be operating in a hostile environment.

Berg then turned more specifically to cloud security. “In a cloud environment,” he said, “access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases – greatly affecting all aspects of IT security.” He argued that security is actually the true enabler of the rapid expansion of cloud and IT. He used the analogy of security as the brakes on a car; the presence of brakes actually allow cars to go faster. Similarly, in order to accelerate cloud, we need security to enable it. He examined four different patterns of cloud use, emphasizing that security concerns differ for each:

• Business solutions on cloud (software as a service) – Security concerns: compliance and governance
• Cloud service provider (Innovate business models) – Security concerns: data and compliance
• Cloud platform services (platform as a service) – Security concerns: applications and data
• Cloud enabled data center (infrastructure as a service) – Security concerns: infrastructure and identity

What’s important, he argued, is that organizations build security into the cloud solution from the very beginning, not try to retrofit it later on. When building a cloud solution, organizations can actually build security controls into the infrastructure, which represents a big improvement for some IT organizations that currently have a good picture of what they are deploying. Berg (and IBM) argue that the appropriate process for deploying cloud solutions is to 1) design, 2) deploy, and 3) consume. He believes cloud can be made secure for business, but it takes planning, careful implementation, and honest conversations about security needs. In other words, if someone offers to sell you cloud security in a box, run away.

Finally, Berg ended with a call to action. There are many cloud guidelines out there, he said, but few real standards. There are a whole host of organizations working to improve the dialogue around this (e.g. Cloud Standards Customer Council, The Open Group, International Organization for Standardization, Cloud Audit working group, Oasis Identity in the Cloud TC). There are ample opportunities to get involved, so make yourself part of the conversation.

Why not begin that conversation now? A couple questions that emerge from Berg’s keynote are:

How should we establish cloud computing standards?

What must be included in a set of guidelines?