This article has been reposted from “CIO.com”.

There’s no doubt that cloud computing is dominating today’s IT conversation among C-level security executives. Whether they’re lured by its compelling cost savings or its perceived advantages, security leaders are probing the capabilities and restrictions of the cloud. At the same time, security and compliance concerns remain issues holding large enterprises back from capitalizing on the cloud’s benefits.

Some of the most frequently asked questions include: Is using cloud computing services advisable for applications and data subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?

Not surprisingly, any answer to these questions has to start with, It depends. Coming to a meaningful conclusion requires context. Is the cloud service public or private? The company’s specific compliance requirements are also key to understanding whether compliance can be achieved.

Blanket statements regarding compliance and the cloud aren’t possible because vendors can create different types of cloud services and infrastructures for single enterprises or groups. A recent National Institute of Standards and Technology (NIST) paper recognizes three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). NIST further describes four different deployment models: private cloud, community cloud (shared among several organizations), public cloud and hybrid cloud (part private, part public or community).

The different service and deployment models allow varying degrees of customer control and place different security and compliance obligations on both customers and service providers. In private clouds, for example, the organization building them is free to apply whatever set of controls it sees fit. In public, community or hybrid clouds, the customer organization does not typically have this degree of control. Furthermore, the flexibility afforded the user for an IaaS service will generally be a lot higher as compared to a SaaS service. And with that higher degree of flexibility comes a higher degree of responsibility for security and compliance for the user.

While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and meet compliance obligations varies widely. For private clouds, it’s fairly straightforward to build controls into the cloud that enable compliance. For public cloud services, however, becoming compliant is a more challenging endeavor.

Another significant consideration is the specific set of laws that affect an organization. Some of the key compliance regulations, including HIPAA and the Gramm-Leach-Bliley Act, require careful analysis of the specific requirements, along with a solid understanding of the security controls put in place by the cloud service provider. And many public cloud service providers are not very transparent in providing information to their customers describing the specific security controls deployed.

Organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations and the set of controls provided by the cloud service provider. It is also worth noting that satisfying many compliance requirements will require assessing the control state for the cloud service at periodic intervals. For example, even performing vulnerability scans on public cloud services may be an issue, as some cloud services contracts limit the customer’s ability to do this.

Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you’re considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on “right to audit” clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now—caveat emptor!

Read more

The ‘2010 State of Enterprise Security Survey – Global Data’ report shows that about one-third believe virtualization and cloud computing make security ‘harder,’ while one-third said it was “more or less the same,” and the remainder said it was ‘easier’. The telephone survey was done by Applied Research last month on behalf of Symantec, and it covered 120 questions about technology use — organizations remain overwhelmingly Microsoft Windows-based — and cyberattacks on organizations.”

Read more

This blog has been reposted from “ComputerWeekly.com“.

Corporate concerns over data security are holding back cloud computing.

Security experts, software suppliers and cloud service providers alike see the cloud as a once in a lifetime opportunity to make information security better than ever. The US government’s cybersecurity adviser Howard Schmidt says cloud computing will enable businesses to catch up on security issues and ensure they have the right mechanisms in place going forward.

His enthusiasm offers a sharp contrast to typical cloud computing security debates, which tend to focus on enterprise concerns about cybercriminals exploiting a single point of weakness to steal sensitive information.

Mark Lewis, partner and head of outsourcing at law firm Berwin Leighton Paisner, says that usually the biggest concern with cloud computing is that it puts all a company’s data and applications in one place.

“If you look at the massive data breaches at what are supposed to be some of the most secure organisations in the world, you would be concerned if everything were in one place,e_SDRq he says.

He points out that in the traditional outsourcing model the all-in-one-place scenario rarely happens because financial services firms package their contracts with different outsource suppliers.

It is unclear how businesses will follow this strategy in cloud, but Schmidt believes that, if handled properly, the shift to cloud-based computing could lead to better security.

“This is an opportunity to build in security best practices missing in many pre-Web 2.0 applications in use by the enterprise,” he says.

A reliable security infrastructure, says Schmidt, is essential if business is to get the full value out of cloud-based computing.

“Because cloud platforms are still developing, we now have the opportunity to build in best practice around things like authentication, data protection and data disposal from the start,” he says.

Does cloud computing need standards?

Users require service level agreements from cloud providers. They also need a standard for handling different kinds of data, especially sensitive personal data such as healthcare records, says Rick Gordon, managing director of US national security consultancy Civitas Group.

Gordon says that global IT security organisations and governments have a role to play in taking the lead on standards and should intervene rather than leaving it up to the emerging service providers.

Anthony Golledge, head of technology consulting at Detica, questions whether any specific cloud standards will be developed in the time frame they will be needed given the increasing number of cloud-based services becoming available.

“I am not convinced we need anything new,” he says. “I would rather use the things we are familiar with and move cautiously into the cloud way of working.”

Golledge points out that not all security necessarily needs to be within the cloud infrastructure, and could reside instead on the devices used to access cloud services.

“Users of cloud-based services can exercise some control through security policies on all end-point devices, fixed or mobile, that connect to the cloud,” he says.

End-users could adopt this as an interim approach to security until the infrastructure matures into this vision of something that is inherently secure by design, says Golledge. It may also be a longer-term way of enabling secure access for a single end-user device to services running on different cloud infrastructures.

But even if that vision of an inherently secure infrastructure is achieved, end-user organisations will not be able to avoid having to decide what information is allowed to be shared, which a secure infrastructure alone will not solve, he says.

The role of virtualisation

Virtualisation has also matured and will be a key enabler for security in the cloud, according to Eric Baize, senior director of the product security office at RSA.

“Virtualisation will be the engine that drives cloud computing, and I am pleased to see security conversations are happening at the same time as the cloud is evolving,” he says.

Eugene Kaspersky, chief executive of security firm Kaspersky Lab, says virtualisation will help to a degree but will not deter master cybercriminals.

He predicts that just as viruses moved from floppy disks to the internet, so any new technologies or methods that come with cloud computing will be scrutinised by cybercriminals in search of ways to exploit them.

“Virtualisation will enable better security, but there is still the human factor,” says Kaspersky. “People make mistakes and cybercriminals will find a way to exploit this.”

RSA is working with virtualisation supplier VMware to embed security technologies into the virtual operating system.

Initiatives such as this will make security controls in the cloud automatic, and more efficient and transparent to end-users than can be achieved in any physical infrastructure, says Baize. “Cloud computing is a great opportunity to do security right,” he adds.

Private clouds

Most IT security professionals agree that, in the short term at least, businesses should be extremely wary of putting sensitive company data in public clouds.

Businesses should also stick to low-risk, low-volume applications and build internal and private clouds to enable collaboration within the organisation and externally with partners.

Users of cloud-based services should always make sure they know who has their data, where that data is held, what they are doing with it and how they are protecting it.

“Demand greater transparency from the providers, mitigate risk with clear SLAs and ensure you have an exit strategy,” says Burton Group analyst Gerry Gebel.

According to Gartner analysts, investments in private cloud will make it easier for organisations to increase their use of public cloud services gradually as they mature and security improves.

Jumping directly into a public environment safely is probably too difficult an operation for most companies, says Golledge.

Gartner analyst Tom Bittman says that many of the investments in private clouds will prepare the enterprise for public cloud computing.

“These investments are not just technology changes,” he points out. “They are also process, cultural and business interface changes.”

The changes will include the virtualisation of services and operating shared services, but still with robust gateways that connect with other clouds, says Golledge.

“This will deliver some of the benefits of cloud computing, but you also have enforcement points where you can apply traditional security policies,” he explains.

Making these changes sooner rather than later will help enterprises to take better cloud sourcing decisions and potentially make an easier shift to public cloud computing, says Bittman.

The benefits of cloud are undisputed, but security remains a key concern and will be one of the most important factors in determining the speed and success of the world’s transition to this business model.

It will, however, be some time before enterprise know whether cloud is the best thing to happen in security or merely offers a host of new opportunities for cybercriminals.

UK businesses responsible for the data they collect

The European Network and Information Security Agency (ENISA) acknowledges that large service providers typically have the resource and expertise to deliver higher levels of security than many companies, particularly smaller enterprises.

But in its November 2009 report on cloud computing, the agency warns that companies remain responsible under UK law for safeguarding their customers’ information even if that data is stored by a service provider.

As data controllers, as defined by the Data Protection Act, UK companies are responsible for the security of their data, says Bridget Treacy, partner at law firm Hunton Williams.

Businesses need to be educated that technologies exist and under development to address concerns about access controls and data leakage prevention.

No single point of failure

Instead of the cloud being a single point of failure, Art Coviello, RSA president, says it can become a centralised way of controlling data and enforcing best security practices.

He sees it as an opportunity to embed security technologies such as data loss prevention into the core systems that will run the cloud, which is one of the most exciting developments for a decade.

Cloud computing could provide more granular security control than previously possible and one that is invisible to the end-user, says Philippe Courtot, chairman at security firm Qualys.

According to Courtot, cloud computing has the potential to achieve this higher level of security by simplifying everything.

Synchronising mobile devices will no longer be necessary, and by removing infrastructure and software concerns, the enterprise will be able to focus on the data and sharing it securely, he says.

Once data is in the cloud, says Courtot, enterprises will have much greater control over data access, distribution and modification than would otherwise be possible.

This blog was reposted from the “EMC IT’s Virtualization Journey” site.

They’ve demonstrated a proof-of-concept for securing the cloud that’s arguably far better than anything you’d find in most of today’s data centers.”

This post originally appeared on chucksblog.emc.com and is reprinted with permission.

You say something often enough, it becomes a personal meme. If enough people agree with you, and start saying the same thing, it might become an industry meme.

In that spirit, let me share with you a meme that shows every sign of making that transition.

Why? Because I think people are ready to accept this particular thought as conventional wisdom.

An Oversimplified History Of Cloud Thinking

The first round of people talking about cloud were the technologists.

The message? “Clouds Are Cool”.
These people were attracted to the power of the underlying technology to provide highly elastic infrastructure (as well as associated applications) that were largely free of traditional physical computing constraints.

Nice geeky conversations resulted, but — if you weren’t that sort of technologist — all of this kind of left you somewhat confused and disengaged. Plenty of those discussions still going on, though …

The next round of people talking about cloud were the business people.

The message? “Clouds Are Cheap”.
Hundreds (if not thousands) of studies were done, each comparing the cost-to-serve for a cloud-based service as compared to a traditional IT approach.

Many people found out just the opposite. If you’re doing enterprise IT at any decent scale, the convenient by-the-drink pricing models associated with so many external services can’t be justified as significantly less expensive.

And that makes a certain sense: at decent scale, we all pay pretty much the same prices for IT inputs: hardware, software, power, labor, etc. The difference? External service providers need to make a decent profit ; enterprise IT organizations don’t.

I think we’ve now entered the third (and most important) phase of the conversation: clouds (especially private clouds) can be a fundamentally improved way of providing enterprise IT services.

The message? “Clouds Are Better” – or certainly need to be.

A Bit Of Context

Given all the cloud chatter out there, I feel obligated to define my terms once again.

By “cloud”, I mean any next-generation IT environment that’s (1) built differently — dynamic pools of virtualized resources, (2) operated differently — purpose-built zero-touch or low-touch operational models, and (3) consumed conveniently — use of resource includes pay-for-use models, or other forms of convenient consumption.

Do all three, and you’re a cloud in my book. It has nothing to do with physical location or ownership model. By way of example, a truck is a truck regardless of where it’s parked, or who owns it. BTW, you’re free to disagree with this oversimplified view.

By “private”, I mean “an environment under the control of enterprise IT”, whether those resources sit in a traditional data center, or use compatible service provider resources, or — ideally — a combination of both.

Put up a cloud like environment that’s completely under the control of IT, (regardless of where it might physically sit, or what name is on the side of the building), and I’ll call it a “private cloud”.

From “Cool” To “Cheap” To “Better”

I will argue passionately that — in the history of enterprise IT adoption — newer models have to be better than the ones they replace or augment. It’s not enough to be “cool”. It’s not enough to be “cheap”. It has to be “better” than what it purports to replace.

So much of the cloud discussion tends to overstate the economic benefits, and understate the inherent compromises. The thinking tends to be “cheap and cheerful computing for stuff that doesn’t really matter to the business.”

I beg to differ.

I believe that near-term cloud models (especially private cloud models) can be far better than the traditional physical environments that the hope to replace. Yes, they’ll be more cost-effective — but that’s mere table stakes.

They’ll be able to deliver a far better class of enterprise IT services than their traditional physical counterparts.

“Better” Is In The Eye Of The Beholder

When considering enterprise IT services, the definition of “better” tends to vary depending on who’s doing the asking: the enterprise IT organization, or the people using their services.

That’s unfortunate (aren’t they really the same thing?) but it’s the world we live in …

The user of the service wants speed and flexibility — at a competitive cost. They’re more interested in what the enterprise IT services can help them do for the business, and care less about the gory details.

The traditional enterprise IT organizations usually starts with cost, and then dives into all the gory details around implementation, compatibility, security, compliance, etc.

Both ends of the “better” spectrum are incredibly important.

So, let’s look at just a small sampling of the ways where private cloud architectures can be potentially better than the traditional physical approaches they are attempting to replace.

Chuck’s Quick List Of “Private Clouds Can Be Better Because …”

Let’s start with cost-to-serve. Optimized infrastructure for virtualization that’s designed for purpose can serve more virtual machines than infrastructure that’s not designed for purpose. That’s one of the attractions of the Vblock and its associated technology components.

The right way to measure cost efficiency isn’t to disassemble the components into its constituent parts, and then argue about who’s got the best/cheapest server, network, storage, management interface, etc. Instead, it’s about measuring the “all in” cost per VM delivered.

Let’s move on to time-to-serve. Newer operational models can change the reaction time for providing a new service level (whether this is provisioning a new instance, or changing the service level for an existing delivered service) to minutes or seconds — usually without IT intervention. Not only does the business get what it wants far faster, but they consume exactly what they need at any given point of time, and do so without the need for expensive and cumbersome internal IT processes.

Now, let’s talk about availability and recoverability. The range of different potential service levels around availability and recoverability available in a fully virtualized private cloud model far exceeds what’s available in the physical world — and tends to be better, simpler and less expensive.

More importantly, the availability and recoverability attributes associated with a given set of applications are dynamic in nature — they get applied when needed, rather than uniformly. Try doing that with a traditional physical IT infrastructure approach!

How about security and compliance? The whole story isn’t out there (yet), but I will go on record that fully virtualized environments can be made far more secure, far more compliant, far more auditable — hence far more “trusted” than *any* typical physical infrastructure approach.

The virtual machine gives us a convenient “virtual perimeter” to defend that dramatically simplifies so much of what is daunting in the security and compliance world. Watch this space closely, if you’re a security architect.

Software and application compatibility? Basically, if it runs on Intel, it can run on a private cloud without any modifications. The stack above the CPU is completely up to you — operating system, database, middleware, application, etc. Again, better than what we typically get in the physical infrastructure world.

The list goes on: resource management, patch management, licensing compliance — pick your favorite pain-in-the-butt IT discipline, and I can make a case that it’s far better in the fully virtualized private cloud world.

But there’s more — there’s consumption models. Embrace a private cloud approach, and you’ll have a new set of options to either run your own infrastructure as efficiently as a cloud provider, use any number of a growing set of compatible service providers, or any dynamic combination you might need at a given point in time.

Getting this flexibility in consumption model is something that’s notoriously difficult in the traditional physical infrastructure world — and doing so dynamically is near-impossible.

And The Business User Perspective?

It’s simple: IT infrastructure doesn’t get in the way of what the business wants to get done. It’s available when needed, conveniently priced, and can be changed at a moment’s notice. Sort of like power, or phone, or transportation, or any other form of infrastructure that business use.

Why should IT infrastructure not evolve to be similar to other forms of infrastructure? No one asks me to pre-provision a phone call to Japan six weeks before the call, for example.

The answer is simple: that’s exactly what is happening before our eyes.

Getting To Better

So much of the cloud discussion seems to embed an apology for one kind of compromise or another. Hey, we’re at three 9’s availability. We don’t lose your data that often. Our unique software stack isn’t so bad. We do an OK job at security and compliance.

I find all of this completely misdirected.

We — as an industry — should have as a goal to make our enterprise cloud environments — whether they be private, public, etc. — far better than the environments we are replacing.

Private clouds aren’t all about cheaper IT, they’re about better IT. And being cost-effective is just the start of the discussion.