Wouldn’t it be wonderful if we could simply point to cloud standards and claim that such standards could reliably lubricate government adoption of safe, dependable, accreditable cloud computing?! Sadly, we cannot. At least, not yet.
And, this fact is as true for commercial adoption of cloud computing as it is for government adoption. It is also the subject of this month’s question in the Mitre Cloud Computing Forum for Government.
Email has long been a means and target for cybercriminals — whether the goal is to steal private data contained in messages, or just to use the messages to surreptitiously obtain access credentials that would open the door to other stores of data. Today, CSC has announced an offering that can help protect organizations from such cybersecurity threats. CSC’s CloudProtection for Mail and Web provides security from web-based attacks, stopping the threat before it ever reaches the enterprise customer. CSC officials say that the cloud-based CloudProtection can improve an organization’s security at a lower cost than other on-premise solutions. The official CSC news release also notes their SLAs for the product, “the strongest sets of Service Level Agreements in the industry,” covering the service availability and performance. With CloudProtection, according to the release, every business can ensure that every desktop has the most up-to-date anti-virus software, spam filters and spyware.
Read more
Matthew Moore can claim what few others in the still-maturing cloud computing space can claim: direct experience securing a cloud, beyond just the theoretical and postulating. His team has been securing CSC’s private cloud offerings for years.
Moore, Director of Global Security Solutions for the Americas at CSC, oversees a $4.6 billion commercial portfolio with all run-and-maintain, protection and compliance responsibilities falling to him and his team.
And yet, despite constant murmurs in press coverage about IT threats and risks associated with cloud computing, some might find Moore surprisingly upbeat and optimistic.
It’s not enough to settle for security. There is a difference between security and what the enterprise is really after when it comes to protecting their data and IT systems — trust.
What’s more, that trust, when it comes to cloud computing, is only going to be gained when cloud providers can answer a few simple questions.
That’s a matter CSC Director of Global Security Solutions Ron Knode calls transparency.
Forbes.com recently interviewed Knode in an article “Deciding Which Cloud Services To Trust.” In the article, Knode introduces six types of questions a business should ask any potential provider of cloud services, questions covering:
These are the general categories that comprise two dozen questions making up the CloudTrust Protocol, a protocol he and others working on it believe will bring greater transparency to cloud computing services, and thus create the type of trust in cloud computing that, as Knode says, “puts us in the business of liberation.”
When Forbes.com decided to run an article on the topic of cloud security recently, we weren’t surprised they turned to Ron Knode for input. Knode has been studying the issue since it, well, became an issue with the emergence of virtualization in enterprise technology.
In addition to holding the position of Director of Global Security Solutions at CSC, Knode is also a Leading Edge Forum (LEF) researcher who has penned plenty of his own articles — not to mention a series of posts here on our Enterprise Cloud Computing Guide. Knode is a regular presenter at industry events, including participation in this year’s Symantec Vision and Cloud Expo East events.
This most recent round of media interest (and it does seem to move in cycles in the cloud space) finds technology writer David F. Carr asking Ron about “Deciding Which Cloud Services To Trust” at Forbes.com.
One of the most frequently used tools to fight forest fires is … more fire! At first blush, this approach is counter-intuitive. But, the use of “back burns” to reduce the amount of flammable material and ultimately control the fire itself is a well-known and effective technique. The irony of “fighting fire with fire” lies at the heart of this month’s (May 2010) question on the Mitre cloud computing blog:
“How could a government system be more resilient to attack if hosted on a public cloud computing model versus a private one, and what are the added vulnerabilities the government would need to consider?”
In building a best-of-breed partner ecosystem of cloud computing service offerings, CSC has benefited from a strong relationship with Symantec, a global leader in security solutions. That’s the kind of partner it takes to offer Trusted Cloud Services.
Now that partnership is expanding, and CSC has announced today the extension of its current technology alliance with Symantec, an evolution in cloud services that will bring enhanced security products to businesses and governments around the world.
Lists are usually good things to have. They help us to organize tasks, concentrate our attention, and discipline our time and money. On the other hand, lists can also "cloud" the real goal or objective, and nudge us into a one-at-a-time, check-off style of work (occasionally called "stovepipe" work) that prevents us from recognizing linkages between items on the list, and targeting the ultimate objective or outcome.
I worry then about "recipes" for security in cloud computing.
Read more
The Question of the Month at the MITRE blog asks what government can do to facilitate the adoption of cloud computing to more effectively provide IT services. There are 3 things, actually.
But this question is clearly just a short step from January’s question. So, let’s deal with both of them:
First, January’s question: “What’s most significant cloud computing concern for federal orgs?”
I felt compelled to respond after reading Chris Hoff’s “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream),” at his blog Rational Survivability. This post originally appeared as a comment to his post.
I am working with Hoff as a member of the A6 (Automated Audit, Assertion, Assessment, and Assurance API) group working on cloud security interoperability standards.
Hoff’s point is well said. It’s a forceful (and entertaining) echo in the cloud of earlier discoveries and comments about the ultimate importance of “trust” versus other words often intended to characterize related aspects (e.g., security, privacy), but which do not represent the real need, and so should never be confused as synonyms.
Any implementation of cloud services for the enterprise must strike a balance between rapidly implementing a solution and a solution of increasing complexity and cost.
I like Sreedhar’s observation that the established enterprise would need to leverage cloud IT services differently than a larger enterprise. I do agree that there is probably a well-defined set of startup services that can shorten the time necessary to both establish an development environment and get useful functionality out of the other end.
I think that the assertion that cloud will result in a reduction of complexity is arguable.
