I have a new paper in the current IEEE Security & Privacy Journal, called "Don't Trust. And Verify." It describes a Security Architecture Stack for the Cloud. It covers some of the ground that I discussed in my keynote at Cloud Identity Summit.
There are four patterns that I see as key for Cloud Security: Gateways, Monitoring Services, Security Token Services and PEP/PDP.
I think that using patterns is a different way to approach security architecture from how its normally done. There are certainly other technologies, patterns and processes that are vital to Cloud Security, but I see these four as essential - not because they give us a magic way to trust the cloud, but rather because they give us a way to verify.
Oh, and one more thing, in the recent multi billion dollar spate of security company acquisitions, one of the reasons inevitably given by the acquiring company was more focus on Cloud and mobile security. But most of those acquisitions do not address the aforementioned patterns in any great detail, so there is a lot of opportunity for the security industry to improve going forward.
Good article. Personally I find that when people say "How can we trust the Cloud?", they are missing the point. The real question is "How can I leverage a Cloud service provider even if I don't trust them, and actually will never trust them". So, though you rightly mention that SSL is part of yesterday's solution, there is an analogy in that SSL was all about overlaying security on an untrusted system (i.e. you may not trust your ISP or indeed your own network admins, but when you use SSL you mitigate against this). So, as you say, it's not about "a magic way to trust the Cloud".
Posted by: Mark O'Neill | October 19, 2010 at 10:36 AM
No joke, EVERY discussion I had with vendors regarding cloud identity was followed by the vendor being acquired shortly afterward. Someone's reading my mail (Google?). I'm talking Verisign, Tricipher, Arcot, and others.
Posted by: Slonob | October 21, 2010 at 07:56 AM
@Slonob - what do you have against Arcsight, McAfee, and Fortify? ;-P agree, its been a crazy year for security acquisitions and that's an understatement
Posted by: Gunnar | October 21, 2010 at 08:36 AM