I’ve been attending the Cloud Computing World Forum at London’s Olympia. It’s good to see so many vendors both established and new to the market startups looking at working towards services and solutions aimed at the cloud community. My focus around security and governance drives me to look at how the major players, and the OS level providers such as Red Hat, view regulation and standards.
Talking to Red Hat prior to the forum and listening to the way that their new “Cloud Foundations” platform has been engineered, it’s encouraging to see how the building blocks and interconnects that are architectured out the box deliver a lot of cloud functionality for providers and integrators alike. It will be interesting to see how they address security standards, logging, monitoring and auditing without reinventing the platform. I expect to see modular technologies evolve from the Open Source community to provide a half way house and provide some management capability useful to an auditor in the enterprise space.
You could argue that standards are still emerging, for example, the PCI standards don’t address virtualisation guidance, and that any relationship with a cloud vendor is both strategic and to a degree contractually customisable. What doesn’t seem evident is an openness around what compliance, governance and audit means to the burgeoning cloud market from the major vendors and ISV providers.
We live now in a world where PCI, SAS 70, Basel II, SOX, ISO 270001 provide us with structures to hang our controls and security processes on. Where there seems to be a gap amongst all the key players in the market is how do you deploy to security best standards? Many providers and cloud enablers see provisioning and uptime as the hot buttons and protective monitoring and audit as an add on. Whilst you can argue that building your own private cloud using tools such as those out of the box with Canonical’s latest Ubuntu server build gets you off and running, awareness and security still come back to be the principle building blocks around the security of your data.
It’s heartening to see so many vendors looking at the security of virtualisation and looking at the risks and issues around data in transit. How you would deploy many of these physical or virtual appliances within your hosted cloud (especially in a multi-tenanted environment) is open to interpretation. When I’ve posed this question to some vendors they expressed the opinion that you’d be amazed what you’ll see in such a hosted environment given not every tenant will be thinking about security of data in transit or at rest or have a lack of thought around application integration at the SaaS level.
There is still a definite gap in the market around governance and certification, both from a service perspective as well as the clutch of technologies that are addressing the need of the market. The emerging standards such as those being suggested by initiatives like the marriage of Intel, RSA and VMWare form the steps that the next cloud architects can follow as we move to a new braver world often outside the corporate firewall.
A brave new world demands enquiring minds and the need to always look beyond the classic interpretation of threat. Understanding customer engagement and evolving threats will bring a new breed of Security professionals and CISO’s.