Wouldn’t it be wonderful if we could simply point to cloud standards and claim that such standards could reliably lubricate government adoption of safe, dependable, accreditable cloud computing?!  Sadly, we cannot.  At least, not yet.

And, this fact is as true for commercial adoption of cloud computing as it is for government adoption.  It is also the subject of this month’s question in the Mitre Cloud Computing Forum for Government.

Well, we don’t have the standards, but what we do have is the collective sense that such standards are needed, and the energy to try to build them.  Furthermore, while the “standards” we need do not yet exist, we are not without the likely precursors to such standards, e.g., guidelines, so-called best practices, threat lists, special publications, and all manner of “advice-giving” items that try to aim us in the right direction (or at least aim us away from the very wrong direction).  In fact, we have so many contributors working on cloud standards of one kind or another that we are in danger of suffering the “lesson of lists” for cloud computing.

Nevertheless, given our desire to reap some of the benefits of cloud computing, should we not try to accelerate the production, publication, and endorsement of cloud computing standards from the abundance of sources we see today?

Wait a minute!  Standards can be a blessing or a curse.  On the one hand, standards make possible reasonable expectations for such things as interoperability, reliability, and the assignment and recognition of authority and accountability.  On the other hand, standards, especially those generated in haste and/or without widespread diligence and commentary, can bring unintended consequences that actually make things worse.  Consider, for example, the Wired Equivalent Privacy (WEP) part of 802.11 or the flawed outcomes and constant revisions for the PCI DSS (remember Hannaford and Heartland!?).

Furthermore, even when standards are carefully crafted and vetted with broad and intensive review, they can still be misinterpreted and misapplied by users, leading to surprising outcomes such as the USB device flaws that showed up in products with FIPS 140-2 certified modules.  Even the best standards require an informed and sensible application on the part of users.

What we seek are standards that lead us into trusted cloud computing, not just “secure” cloud computing or even “compliant” cloud computing.  Ultimately, any productive stack of standards must deliver transparency to cloud computing.  Otherwise, cloud consumers will remain trapped in the never-ending cycle of cloud security claims, with no easy way for individual and independent validation, and cloud vendors will remain stymied by having no regular way to demonstrate their conformance without a lot of technical mumbo-jumbo or expensive and time-consuming third party intervention.

Simply having cloud standards just to have standards does not bring any enterprise closer to the promised payoffs of the cloud.

Let’s consider the possibility that different categories of standards, or tiered standards, may be required to cover all of the important use cases for government and commercial use.  Not every cloud or every cloud market need necessarily be encumbered with every cloud standard.

Finally, let’s consider also what it might take to demonstrate compliance with standards.  For example, it is unlikely that “whole cloud” compliance will be effective or efficient across the board.  A standard that is more trouble than it’s worth is not going to be very helpful at all.

So, let’s proceed with all deliberate speed through some of the worthy efforts ongoing, but not declare success merely for the sake of an artificial deadline or competitive advantage.  The cloud definition and certification efforts sponsored by NIST and GSA, the security threat and guidance documents authored by the Cloud Security Alliance, the cloud modeling work of the OMG, the cloud provider security assertions technique proposed by Cloudaudit.org, and the CloudTrust Protocol that extends SCAP notions and techniques to reclaim transparency for cloud computing — all of these efforts certainly hold promise for accelerating the adoption of cloud computing for government and industry.

Let’s push and participate in the actions of these and other groups.  Ask questions, experiment, build prototypes, consider all manner of outcomes, and seek extensive and deliberate peer review.  Standards that survive such a process can be endorsed.  But, like fine wines, cheeses, (and even thunderstorms), “We will accept no cloud standard before its time.”

Ron Knode is Director of Global Security Solutions for CSC and a researcher with the Leading Edge Forum.

Email has long been a means and target for cybercriminals — whether the goal is to steal private data contained in messages, or just to use the messages to surreptitiously obtain access credentials that would open the door to other stores of data. Today, CSC has announced an offering that can help protect organizations from such cybersecurity threats. CSC’s CloudProtection for Mail and Web provides security from web-based attacks, stopping the threat before it ever reaches the enterprise customer. CSC officials say that the cloud-based CloudProtection can improve an organization’s security at a lower cost than other on-premise solutions. The official CSC news release also notes their SLAs for the product, “the strongest sets of Service Level Agreements in the industry,” covering the service availability and performance. With CloudProtection, according to the release, every business can ensure that every desktop has the most up-to-date anti-virus software, spam filters and spyware.
“Today, 90% of all inbound enterprise email typically contains spam, viruses and phishing, and businesses of all sizes have no choice but to address these issues immediately and cost-effectively,” said Siki Giunta, CSC’s Vice President of Cloud Computing and Software Services. The CloudProtection solution can be obtained on a pay-per-use basis from the CSC Gateway, an e-commerce portal for purchasing cloud computing and hosting services. The web-based portal allows organizations to implement cloud technologies rapidly at any scale, at any time of day. CSC has bolstered its position and technology in cloud security by deepening its existing partnership with Symantec. The companies announced a new, stronger partnership earlier this year. According to Ron Knode, CSC Director of Global Security Solutions, CloudProtection is an example of using cloud architecture to capture true pay-off. Knode said that simply using cloud to cut costs is OK, but it misses a greater opportunity to create new value in an organization. “This is using cloud to make business better,” Knode said. “With a cloud solution to protect an organization’s email, the organization can focus on more important things. CloudProtection can liberate them to do more important work. They can on-board and off-board people faster, the email is still hosted in their secure setting, and the business moves faster.” For more depth on cybersecurity from CSC, including more videos by Knode, visit http://www.csc.com/cybersecurity.

Matthew Moore can claim what few others in the still-maturing cloud computing space can claim: direct experience securing a cloud, beyond just the theoretical and postulating. His team has been securing CSC’s private cloud offerings for years.

Moore, Director of Global Security Solutions for the Americas at CSC, oversees a $4.6 billion commercial portfolio with all run-and-maintain, protection and compliance responsibilities falling to him and his team.

And yet, despite constant murmurs in press coverage about IT threats and risks associated with cloud computing, some might find Moore surprisingly upbeat and optimistic.

“A lot of people think of IT security solely in a protective sense, as being defensive,” Moore said in an interview Wednesday for Cloud Security & Trust Week. “But if I spent all my time worrying about the possible threats, just reacting, I can’t focus on the more critical operations of my business.”

Moore described the path of a typical client: A CIO is under pressure from a board of directors or senior executive leadership to “figure out how to get us into cloud.” But this CIO isn’t sure where to begin. It could be a bank with international regulations to adhere to, an industrial company in energy or aerospace and defense with valuable technology to protect — so rushing right into a cloud solution isn’t an option. That’s when they turn to a trusted advisor, Moore said.

“Folks might jump in too quickly,” Moore said. “But they also might not move because they’re too afraid. That’s the biggest risk I see.”

Moore said that not taking action can set an enterprise back from a market dominance perspective. Whatever makes a business competitive, he said, if the cloud can augment that, then it makes sense to do that.

CSC’s business-first approach, or “Right Cloud, Right Way” mantra, comes up at this point in the conversation. With a variety of cloud options — from private, to public, to hybrid clouds — and discrete cloud services for functions such as email and collaboration or application development and testing, an organization can move only those operations that make sense to the cloud, Moore pointed out.

“If there’s something like cloud that takes your business further, your biggest risk is not doing that thing,” he said. “Security should not be just about protecting you, it should be about enabling you.”

We’ll have more to say soon about security and CSC cloud computing offerings, so stay tuned for some big announcements.

It’s not enough to settle for security. There is a difference between security and what the enterprise is really after when it comes to protecting their data and IT systems — trust.

What’s more, that trust, when it comes to cloud computing, is only going to be gained when cloud providers can answer a few simple questions.

That’s a matter CSC Director of Global Security Solutions Ron Knode calls transparency.

“Security products and services help protect the value what  that you already have,” Ron said in an interview Wednesday. “Trust in the digital domain is the use of security services and products to create new enterprise value (knowing the traditional risk reduction will happen anyway).  We want to know what difference does it make to the enterprise.”

Knode has helped shape the strategy of CSC’s Trusted Cloud Services. Through his research with the Leading Edge Forum (LEF) and industry work groups like CloudAudit.org, Knode has been pushing for standards and protocols that create a two-way dialogue between cloud providers and consumers, a set of expectations and questions to establish trust in the in the technology delivered as a cloud as well as the business relationship between a cloud consumer and cloud provider.

“Trust and security are not the same thing,” Knode said. “Security is simply protective of enterprise value that already exists. Trust, on the other hand, is generating new enterprise value with security services and technologies, knowing that traditional risk reduction will happen as well.

“That comes from knowing that an organization’s residual risk is reduced. When trust is created in the digital domain, digital trust, people become liberated to do more important, more powerful work with greater pay-off. With digital trust, you can use cloud to make business better.”

Forbes.com recently interviewed Knode in an article “Deciding Which Cloud Services To Trust.” In the article, Knode introduces six types of questions a business should ask any potential provider of cloud services, questions covering:

• History/Reputation
• Uptime
• Portability
• Authentication
• Compliance
• Privacy

These are the general categories that comprise two dozen questions making up the CloudTrust Protocol, a protocol he and others working on it believe will bring greater transparency to cloud computing services, and thus create the type of trust in cloud computing that, as Knode says, “puts us in the business of liberation.”

Knode has been working with CloudAudit.org (formerly the A6 group), and with the draft definitions and standards developed by the National Institutes of Standards and Technology (NIST), to produce the CloudTrust Protocol. For example, if the latest recommendations of CloudAudit.org become a standard, the CloutTrust Protocol will be even easier to implement based on a foundation of some CloudAudit protocols and some existing (NIST) Security Content Automation Protocol (SCAP) results.

Knode says a test of the CloudTrust Protocol has been built and demonstrated, detailed semantics and syntax will soon be published, and an alpha release could even be available later this year.

“The pay-off has to be more than just saving money,” Knode said. “So, you have to be able to ’see inside.’ You have to be able to ask a cloud provider this set of questions. That’s how we reclaim transparency. If all we do with cloud is translate bogey-man stories from traditional data center operations, then we’ve missed a tremendous opportunity.”

Stay tuned for our next post in this week’s series on Cloud Security & Trust — we’ll talk with Matthew Moore, CSC’s Director of Global Security Solutions for the Americas.

When Forbes.com decided to run an article on the topic of cloud security recently, we weren’t surprised they turned to Ron Knode for input. Knode has been studying the issue since it, well, became an issue with the emergence of virtualization in enterprise technology.

In addition to holding the position of Director of Global Security Solutions at CSC, Knode is also a Leading Edge Forum (LEF) researcher who has penned plenty of his own articles — not to mention a series of posts here on our Enterprise Cloud Computing Guide. Knode is a regular presenter at industry events, including participation in this year’s Symantec Vision and Cloud Expo East events.

This most recent round of media interest (and it does seem to move in cycles in the cloud space) finds technology writer David F. Carr asking Ron about “Deciding Which Cloud Services To Trust” at Forbes.com.

The full article is worth reading for IT decision-makers, as it covers 3 sound pieces of advice:

1. Consult peers in your industry to see what experience they’ve had with particular cloud vendors and solutions. That’s as close as you’ll come to understanding the specific impact cloud computing can have on your business.
2. Don’t expect a secure service just because of the provider’s size or reputation — what Ron calls “presumptive security.” A well-known vendor does not necessarily equate to a 5-9 SLA (99.999% availability service level agreement).
3. Look for vendors that take a “business-first” approach, i.e. the vendors that move only the appropriate operations to a cloud solution, without increasing risk to critical operations or disrupting continuity.

A classic example of what this looks like in practice, says Knode, is the move to cloud-hosted email at Towson University, where he teaches. According to Knode, and described in his seminal paper “Digital Trust In The Cloud,” (PDF download) Towson administrators understood the pay-off of moving the school’s email service to Google — cost-savings and increased storage capacity at the top of the list. However, Towson officials were rightly concerned about the security of intellectual property contained in faculty emails and other such security issues. So, in a “business-first” approach, the university moved only student email to the Gmail platform while maintaining their comfort level with security for staff electronic communications.

With cloud providers making all sorts of claims, Knode also has been a champion of pushing enterprise IT developers and systems integrators to adopt protocols based on standards. Just as telecommunications and then the Internet forced adoption of common standards, cloud computing has presented a need to form consensus on language, frameworks, rights and expectations. Knode has worked intently with colleagues and the National Institute of Standards and Technology (NIST) cloud computing group to push toward a CloudTrust Protocol.

“The CTP extends the NIST and Department of Defense-sponsored Security Content Automation Protocol (SCAP) as a packaging and expression technique for some of the elements of transparency,” Knode says.

Transparency is his keyword. We’ll have more on that with Ron later today.

We’re taking some initiative at the blog today and declaring it Cloud Security & Trust Week. We realize it’s not quite a revolutionary thought, nor big news, but it’s a theme that’s trending again and it’s a topic taken seriously in these parts.

And more and more, it’s not a conversation topic exclusive to corporate IT executives. Cloud computing is now a mandatory consideration for most organizations. We’ve written on the blog before about how enterprises not normally associated with computing are finding payoffs in virtualization. A recent post on how the United States Golf Association has adopted cloud computing comes to mind.

Add to these real-world examples the NBA’s Boston Celtics, who’ve stopped talking man-to-man defense to talk about cloud security.

The Celtics VP talks in a CSO Online article about using cloud-based providers to maintain security for the organization’s email. The team uses a cloud solution to host mail, and another cloud solution secures the mail with virus protection.

Over at Microsoft, Worldwide Chief Security Advisor Roger Halbheer has been writing a lot about cloud security recently, encouraging the federal government to consider the issue in greater detail and with more coordination. Halbheer announced in a post on his blog last week [link] his move from an EMEA role to a global advising role for Microsoft, again showing the increasing importance of the cloud security topic.

Of course, CSC remains at the forefront of cloud security discussions. CSC appointed Andy Purdy as Chief Cybersecurity Strategist in February. Last week he presented in Zurich, Switzerland, at the 2010 Workshop on Cyber Security and Global Affairs & Security Confabulation IV. His presentation, “A Global, Strategic Approach to Cyber Crime,” [download] notes the worldwide spike in malicious acts in IT and the need for the public and private sector to partner in order to effectively combat the cyber threat.

Purdy’s talk was accompanied by dozens of others on similar topics, and other events are spring up around the world — later this month is the Cloud Identity Summit, for example. So, this week we’ll explore the topic in some detail here with the help of the team at CSC.

Tomorrow, we’ll continue with a discussion featuring CSC’s Global Security Solutions Director Ron Knode. Knode was recently featured in a Forbes article on choosing the right cloud services vendor based on security concerns [link].

It’s the best of both worlds when a technology solution improves results and cuts costs at the same time, and that’s the potential with CloudExchange, CSC’s email and collaboration integration that includes Microsoft Exchange 2010-as-a-service.

Enterprises with large-scale communications needs can not only reduce the cost of delivering email to each and every employee, they can foster innovation and increased productivity through instant messaging and video, document sharing and other features of this cloud-based offering.

The CloudExchange solution will be beneficial to increasingly mobile workforce — the knowledge workers who, these days, need real-time information to aid in decision making and accelerate business cycles.

Some features of CloudExchange:

• Global availability of email applications with browser-based access
• On-demand, self-service
• Rapidly and elastically provisioned capabilities
• Resource pooling

Imagine employees using CloudExchange to complete a proposal or contract while holding a video chat, with the addition of calendar and spreadsheets.

If this sounds like the sort of email and collaboration solution your organization needs, we encourage you to contact our CloudExchange team.

For the software makers out there, or the business units that develop applications for the enterprise, we’re happy to introduce CloudLab.

CloudLab is software development and testing in a cloud-based environment, offered via a software-as-a-service (SaaS) model. CloudLab is the newest addition to the portfolio of offerings from CSC’s Trusted Cloud Services. We’re excited to tell you more about it.

CloudLab provides on-demand capability for application developers that need greater control over configuration and an environment that scales to match real-world user loads. The cloud-based development and test platform means software engineers can improve speed to market at the same time they cut project capital costs.

Basically, with CloudLab at your service, the IT department doesn’t need to purchase and maintain its own server environment just to spin up what might only be a routine change, test application or proof of concept. CSC has taken care of that infrastructure, as well as the Web portal to set it all up as you need it.

“With CloudLab, organizations can plan and execute safe application changes in days rather than months,” said Siki Giunta, CSC VP of Cloud Computing and Software Services, in the official press release.

Other important feature points worth noting:

• Self-service — The CSC Gateway for purchasing and provisioning will enable easy control of users, configurations, templates and other assets
• Runtime applications remain unchanged — No problems and no need to modify production images when importing or exporting between environments
• Snapshot and suspend — Quickly create copies of complex configurations
• Controlled access — Maintain security just as easily as physical servers
• Reporting and visibility — Auditable tracking of users, usage and actions

What’s it mean overall? To the business enabled by CloudLab, it means agile response. It means business processes that can respond to competitive or economic variables.

To learn more about it, contact our CloudLab team.

And stay  tuned: We’ll have more to say about the CSC Gateway in future posts.

In support of our effort to provide enterprise-class cloud computing services with the highest level of security and reliability that CSC customers have come to expect in the past 50 years, CSC is announcing today the opening of 7 new cloud-enabled data centers around the globe.

Customers of CSC’s Trusted Cloud Services and Hosting solutions will have access to these new data centers that feature fully virtualized cloud fabric and offer multiple grades of service level agreement. The new CSC data centers will afford customers even more infrastructure to integrate their public, private or hybrid cloud IT architecture.

The new data centers join CSC’s established network of global computing resources, ensuring that CSC customers can be assured of continuous cloud computing business operations in every time zone.

According to Siki Giunta, CSC Vice President of Cloud Computing and Software Services, CSC’s combination of data centers and cloud computing solution offerings markedly set the company apart from the competition. Giunta says CSC has uniquely combined solutions up and down the IT stack, from the infrastructure to the software development and test environment, to a web interface for self-managing the provision of cloud services.

“CSC’s Trusted Cloud and Hosting portfolio will continue to grow as the market defines new requirements,” Giunta said in an official press release. “CSC is the right partner to enable any size enterprise to achieve the financial benefits of cloud services.”

These cloud services will be accessible through a new Internet portal, the CSC Gateway. The Gateway will speed up customers’ ability to provision and manage hosting and other services from a common web interface.

Here are a few quick facts on CSC’s new data centers and the CSC Gateway:

• The 7 data centers will be located in Chantilly, Va.; Newark, Del.; Chicago, Ill.; Sydney, Australia; Copenhagen, Denmark; Luxembourg; and New Kent Complex, UK.
• The data centers feature full software recovery capabilities, energy optimization, enterprise-class scalability and dynamic workload balancing.
• The CSC Gateway will offer access to the complete catalog of Trusted Cloud Services and includes features for self-managing computing resources, monitoring pay-per-use rates and electronic purchase orders.

You can read more on the portfolio of CSC cloud offerings at www.csc.com/cloud.

To get real-time updates on cloud computing offerings and news, follow CSC on Twitter @CSCTrustedCloud or @CSCNews.