Kim Cameron blogs on a recent industry panel on (what else?) cloud computing (emphasis added)
There was a lot of enthusiasm about the potential of cutting costs. The discussion wasn’t so much about whether cloud services would be helpful, as about what kinds of things the cloud could be used for. A government architect sitting beside me thought it was a no-brainer that informational web sites could be outsourced. His enthusiasm for putting confidential information in the cloud was more restrained.
Quite a bit of discussion centered on how “compliance” could be achieved in the cloud. The panel was all over the place on the answer. At one end of the spectrum was a provider who maintained that nothing changed in terms of compliance - it was just a matter of oursourcing. Rather than creating vast multi-tenant databases, this provider argued that virtualization would allow hosted services to be treated as being logically located “in the enterprise”.
At the other end of the spectrum was a vendor who argued that if the cloud followed “normal” practices of data protection, multi-tenancy (in the sense of many customers sharing the same database or other resource) would not be an issue. According to him, any compliance problems were due to the way requirements were specified in the first place. It seemed obvious to him that compliance requirements need to be totally reworked to adjust to the realities of the cloud.
Someone from the audience asked whether cloud vendors really wanted to deal with high value data. In other words, was there a business case for cloud computing once valuable resources were involved? And did cloud providers want to address this relatively constrained part of the potential market?
The discussion made it crystal clear that questions of security, privacy and compliance in the cloud are going to require really deep thinking if we want to build trustworthy services.
The session also convinced me that those of us who care about trustworthy infrastructure are in for some rough weather. One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don’t need encryption”.
I have to say I almost choked. When you build gigantic, hypercentralized, data repositories of valuable private data - honeypots on a scale never before known - you had better take advantage of all the relevant technologies allowing you to build concentric perimeters of protection. Come on, people - it isn’t just a matter of replicating in the cloud the things we do in enterprises that by their very nature benefit from firewalled separation from other enterprises, departmental isolation and separation of duty inside the enterprise, and physical partitioning.
First off, we need to get Kim to spend more time in the field ;-P, one of my "favorite" stories came from an early app sec enagagement circa 2000 and we were trying to convince a CISO to scan an web facing app that ran the entire company for vulns, we literally could not get the individual to sign off on a very small piece of work.
When we probed for why, the response was - "well if we scan the app we may find some things." "yes, ok, we may find some issues in the app that runs the entire business so...what's the problem?" "well then we would need to fix them."
I mean I am sure this sounds crazy, but realistically we're in an industry with a multi-decade record of non-innovation so there is no real reason to assume that most companies are going to roll out a cloud with anything more than "physical access controls & background checks"
What's your favorite story?