Wouldn’t it be wonderful if we could simply point to cloud standards and claim that such standards could reliably lubricate government adoption of safe, dependable, accreditable cloud computing?! Sadly, we cannot. At least, not yet.
And, this fact is as true for commercial adoption of cloud computing as it is for government adoption. It is also the subject of this month’s question in the Mitre Cloud Computing Forum for Government.
Email has long been a means and target for cybercriminals — whether the goal is to steal private data contained in messages, or just to use the messages to surreptitiously obtain access credentials that would open the door to other stores of data. Today, CSC has announced an offering that can help protect organizations from such cybersecurity threats. CSC’s CloudProtection for Mail and Web provides security from web-based attacks, stopping the threat before it ever reaches the enterprise customer. CSC officials say that the cloud-based CloudProtection can improve an organization’s security at a lower cost than other on-premise solutions. The official CSC news release also notes their SLAs for the product, “the strongest sets of Service Level Agreements in the industry,” covering the service availability and performance. With CloudProtection, according to the release, every business can ensure that every desktop has the most up-to-date anti-virus software, spam filters and spyware.
Read more
It’s not enough to settle for security. There is a difference between security and what the enterprise is really after when it comes to protecting their data and IT systems — trust.
What’s more, that trust, when it comes to cloud computing, is only going to be gained when cloud providers can answer a few simple questions.
That’s a matter CSC Director of Global Security Solutions Ron Knode calls transparency.
Forbes.com recently interviewed Knode in an article “Deciding Which Cloud Services To Trust.” In the article, Knode introduces six types of questions a business should ask any potential provider of cloud services, questions covering:
These are the general categories that comprise two dozen questions making up the CloudTrust Protocol, a protocol he and others working on it believe will bring greater transparency to cloud computing services, and thus create the type of trust in cloud computing that, as Knode says, “puts us in the business of liberation.”
When Forbes.com decided to run an article on the topic of cloud security recently, we weren’t surprised they turned to Ron Knode for input. Knode has been studying the issue since it, well, became an issue with the emergence of virtualization in enterprise technology.
In addition to holding the position of Director of Global Security Solutions at CSC, Knode is also a Leading Edge Forum (LEF) researcher who has penned plenty of his own articles — not to mention a series of posts here on our Enterprise Cloud Computing Guide. Knode is a regular presenter at industry events, including participation in this year’s Symantec Vision and Cloud Expo East events.
This most recent round of media interest (and it does seem to move in cycles in the cloud space) finds technology writer David F. Carr asking Ron about “Deciding Which Cloud Services To Trust” at Forbes.com.
We’re taking some initiative at the blog today and declaring it Cloud Security & Trust Week. We realize it’s not quite a revolutionary thought, nor big news, but it’s a theme that’s trending again and it’s a topic taken seriously in these parts.
And more and more, it’s not a conversation topic exclusive to corporate IT executives. Cloud computing is now a mandatory consideration for most organizations. We’ve written on the blog before about how enterprises not normally associated with computing are finding payoffs in virtualization. A recent post on how the United States Golf Association has adopted cloud computing comes to mind.
Add to these real-world examples the NBA’s Boston Celtics, who’ve stopped talking man-to-man defense to talk about cloud security.
One of the most frequently used tools to fight forest fires is … more fire! At first blush, this approach is counter-intuitive. But, the use of “back burns” to reduce the amount of flammable material and ultimately control the fire itself is a well-known and effective technique. The irony of “fighting fire with fire” lies at the heart of this month’s (May 2010) question on the Mitre cloud computing blog:
“How could a government system be more resilient to attack if hosted on a public cloud computing model versus a private one, and what are the added vulnerabilities the government would need to consider?”
Pilots! We all love pilots! Not the “wild blue yonder” kind, but the sampling, experimenting, exploring, validating, try-it-on-for-size kind. And, it’s not just governments that appreciate the value of pilots. Enterprises of all kinds (public or private, supplier or consumer, large or small) have recognized the potential benefits of pilots and generally endorse them as part of larger development or acquisition models.
Whenever new products or processing methods or application innovations show up, pilots are among the first techniques chosen to examine the validity and payoff potential of that “new thing.”
Global team members from CSC Trusted Cloud Services have booked a busy schedule of upcoming cloud computing conferences and events — but that’s what it takes to keep the conversation going.
Decision-makers in search of insight to clear confusion on the implications of cloud models and solutions and how to get the most value out of transitioning their organization’s IT infrastructure and services to the cloud will do well to catch up with CSC Director of Global Security Solutions Ron Knode and VP of Cloud Computing and Emerging Markets Brian Boruff at two events this month.
Lists are usually good things to have. They help us to organize tasks, concentrate our attention, and discipline our time and money. On the other hand, lists can also "cloud" the real goal or objective, and nudge us into a one-at-a-time, check-off style of work (occasionally called "stovepipe" work) that prevents us from recognizing linkages between items on the list, and targeting the ultimate objective or outcome.
I worry then about "recipes" for security in cloud computing.
Read more
The Question of the Month at the MITRE blog asks what government can do to facilitate the adoption of cloud computing to more effectively provide IT services. There are 3 things, actually.
But this question is clearly just a short step from January’s question. So, let’s deal with both of them:
First, January’s question: “What’s most significant cloud computing concern for federal orgs?”
I felt compelled to respond after reading Chris Hoff’s “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream),” at his blog Rational Survivability. This post originally appeared as a comment to his post.
I am working with Hoff as a member of the A6 (Automated Audit, Assertion, Assessment, and Assurance API) group working on cloud security interoperability standards.
Hoff’s point is well said. It’s a forceful (and entertaining) echo in the cloud of earlier discoveries and comments about the ultimate importance of “trust” versus other words often intended to characterize related aspects (e.g., security, privacy), but which do not represent the real need, and so should never be confused as synonyms.
