Kim Cameron blogs on a recent industry panel on (what else?) cloud computing (emphasis added)
There was a lot of enthusiasm about the potential of cutting costs. The discussion wasn’t so much about whether cloud services would be helpful, as about what kinds of things the cloud could be used for. A government architect sitting beside me thought it was a no-brainer that informational web sites could be outsourced. His enthusiasm for putting confidential information in the cloud was more restrained.
Quite a bit of discussion centered on how “compliance” could be achieved in the cloud. The panel was all over the place on the answer. At one end of the spectrum was a provider who maintained that nothing changed in terms of compliance - it was just a matter of oursourcing. Rather than creating vast multi-tenant databases, this provider argued that virtualization would allow hosted services to be treated as being logically located “in the enterprise”.
At the other end of the spectrum was a vendor who argued that if the cloud followed “normal” practices of data protection, multi-tenancy (in the sense of many customers sharing the same database or other resource) would not be an issue. According to him, any compliance problems were due to the way requirements were specified in the first place. It seemed obvious to him that compliance requirements need to be totally reworked to adjust to the realities of the cloud.
Someone from the audience asked whether cloud vendors really wanted to deal with high value data. In other words, was there a business case for cloud computing once valuable resources were involved? And did cloud providers want to address this relatively constrained part of the potential market?
The discussion made it crystal clear that questions of security, privacy and compliance in the cloud are going to require really deep thinking if we want to build trustworthy services.
The session also convinced me that those of us who care about trustworthy infrastructure are in for some rough weather. One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don’t need encryption”.
I have to say I almost choked. When you build gigantic, hypercentralized, data repositories of valuable private data - honeypots on a scale never before known - you had better take advantage of all the relevant technologies allowing you to build concentric perimeters of protection. Come on, people - it isn’t just a matter of replicating in the cloud the things we do in enterprises that by their very nature benefit from firewalled separation from other enterprises, departmental isolation and separation of duty inside the enterprise, and physical partitioning.
First off, we need to get Kim to spend more time in the field ;-P, one of my "favorite" stories came from an early app sec enagagement circa 2000 and we were trying to convince a CISO to scan an web facing app that ran the entire company for vulns, we literally could not get the individual to sign off on a very small piece of work.
OMG! All I hear all day long is how we don't need encryption on the "trusted internal network". Now we don't need it outside the internal network either? I'm closing all my accounts and putting my money in my mattress.
Posted by: T.Rob | May 14, 2009 at 09:49 AM
T. Rob - rest easy, Nebraska Furniture Mart introduced a "Nervous Nellie Mattress" with a night depository slot to keep all your money in your mattress
http://caps.fool.com/Blogs/ViewPost.aspx?bpid=194350&t=01005037795772426156
Posted by: Gunnar | May 14, 2009 at 09:57 AM
another thing about the "trusted internal network", you frequently hear this from companies with 50,000 or so employees, hundreds of b2b connections and web-facing front ends. I usually ask - if you lived in a town 50,000 people would you lock your door? would you have a police force? would you leave your jewelry on the front lawn?
I have never understood why people are so good in the physical at developing separate protection models for jewelry and hockey sticks, but in the digital world the jewelry and hockey sticks get the same "trusted internal" treatment.
Posted by: Gunnar | May 14, 2009 at 10:01 AM
Lots of random thoughts in response...
Got to get me some o' dat Nervous Nellie mattress! I suppose the bearer bonds are not included. :-( I must admit, when I first read "mattress with a night depository slot" I thought you were going somewhere else. Although, I suppose that model would be a top seller. Patent time!
And I love the town analogy. I may start using that. Up to now I've been comparing it to sending mail in post cards versus envelopes. Nobody making these recommendations pays their bills on post cards. They send the checks inside of envelopes and that's a messaging system with at least an order of magnitude less exposure.
I once toured the police station with a pack of scouts. You know the police have lockers with locks on them? You might think that shouldn't be necessary but sometimes it's as much about accountability as it is about security.
According to this post at BankInfoSecurity ( http://www.bankinfosecurity.com/articles.php?art_id=1455&pg=1 ) VISA are looking at end-to-end message-level encryption. Someone should tell them about physical access controls and background checks before they waste a lot of time and money.
On the up side, this job wouldn't be nearly so rewarding if it wasn't also challenging.
Posted by: T.Rob | May 14, 2009 at 12:34 PM
wow -- can you say copyright violation?
Posted by: anon | May 14, 2009 at 02:42 PM