Wouldn’t it be wonderful if we could simply point to cloud standards and claim that such standards could reliably lubricate government adoption of safe, dependable, accreditable cloud computing?! Sadly, we cannot. At least, not yet.
And, this fact is as true for commercial adoption of cloud computing as it is for government adoption. It is also the subject of this month’s question in the Mitre Cloud Computing Forum for Government.
Matthew Moore can claim what few others in the still-maturing cloud computing space can claim: direct experience securing a cloud, beyond just the theoretical and postulating. His team has been securing CSC’s private cloud offerings for years.
Moore, Director of Global Security Solutions for the Americas at CSC, oversees a $4.6 billion commercial portfolio with all run-and-maintain, protection and compliance responsibilities falling to him and his team.
And yet, despite constant murmurs in press coverage about IT threats and risks associated with cloud computing, some might find Moore surprisingly upbeat and optimistic.
It’s not enough to settle for security. There is a difference between security and what the enterprise is really after when it comes to protecting their data and IT systems — trust.
What’s more, that trust, when it comes to cloud computing, is only going to be gained when cloud providers can answer a few simple questions.
That’s a matter CSC Director of Global Security Solutions Ron Knode calls transparency.
Forbes.com recently interviewed Knode in an article “Deciding Which Cloud Services To Trust.” In the article, Knode introduces six types of questions a business should ask any potential provider of cloud services, questions covering:
These are the general categories that comprise two dozen questions making up the CloudTrust Protocol, a protocol he and others working on it believe will bring greater transparency to cloud computing services, and thus create the type of trust in cloud computing that, as Knode says, “puts us in the business of liberation.”
When Forbes.com decided to run an article on the topic of cloud security recently, we weren’t surprised they turned to Ron Knode for input. Knode has been studying the issue since it, well, became an issue with the emergence of virtualization in enterprise technology.
In addition to holding the position of Director of Global Security Solutions at CSC, Knode is also a Leading Edge Forum (LEF) researcher who has penned plenty of his own articles — not to mention a series of posts here on our Enterprise Cloud Computing Guide. Knode is a regular presenter at industry events, including participation in this year’s Symantec Vision and Cloud Expo East events.
This most recent round of media interest (and it does seem to move in cycles in the cloud space) finds technology writer David F. Carr asking Ron about “Deciding Which Cloud Services To Trust” at Forbes.com.
Lists are usually good things to have. They help us to organize tasks, concentrate our attention, and discipline our time and money. On the other hand, lists can also "cloud" the real goal or objective, and nudge us into a one-at-a-time, check-off style of work (occasionally called "stovepipe" work) that prevents us from recognizing linkages between items on the list, and targeting the ultimate objective or outcome.
I worry then about "recipes" for security in cloud computing.
Read more
I felt compelled to respond after reading Chris Hoff’s “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream),” at his blog Rational Survivability. This post originally appeared as a comment to his post.
I am working with Hoff as a member of the A6 (Automated Audit, Assertion, Assessment, and Assurance API) group working on cloud security interoperability standards.
Hoff’s point is well said. It’s a forceful (and entertaining) echo in the cloud of earlier discoveries and comments about the ultimate importance of “trust” versus other words often intended to characterize related aspects (e.g., security, privacy), but which do not represent the real need, and so should never be confused as synonyms.
