More on Cloud Computing
Several months ago I wrote a blog entry on cloud computing and after all that vitriol, I wouldn’t blame you if you did not want to read anything else about cloud computing that I have written. But I just attended the COSAC Conference in Ireland, and my brain is (as always after I attend this conference) full of new ideas. Issues concerning cloud computing frequently came up during presentations and the workshop sessions. I admit that I have been a harsh critic of the notion of cloud computing because it is really nothing new and because it too often amounts to handwaving and marketing hype more than anything of substance. So I tried to keep an open mind with respect to cloud-related issues. Here are some of the things that I learned and observed:
• Many seasoned information security professionals are also skeptical about the hype concerning cloud computing. They, like me, criticize the vagueness of the thinking that surrounds this latest craze. They share the same concerns that I do concerning the fact that once you are in the cloud, you are at the mercy of the cloud service provider when it comes to security risk management. (The best analogy is valet parking at a fancy restaurant—once you hand over the keys to an attendant, you lose control of your car.)
• Granted, academics are excited about so-called cloud computing because it offers the opportunity to think about and create new computing as well as service delivery models. Although cloud computing is at a high-level based on the distributed (client-server) model of computing, the exact nature of the client-server relationship in the cloud is open to all kinds of interesting variations. The ways services are delivered are also of keen interest to academics. Performance in cloud-based service delivery is currently yet another hot issue. But if you view these issues from an information security perspective, excitement quickly dissipates. The fact of the matter is that no matter what particular model one adopts, when you hand your car keys to a valet parking attendant, you have relinquished control.
• Granted, in cloud computer you can set up statements of work (SOWs) to have cloud service providers deliver security services as part of their cloud-based services. There is nothing new here, either, except that an organization that uses cloud services to a large extent has forfeited the ability to adequately monitor what the cloud service provider actually does or does not do in meeting the requirements of the SOW the moment that the organization signs the SOW. The cloud service provider is out somewhere there in the proverbial cloud, far away from the scrutiny of the contracting organization. Consider in contrast the situation in which an organization hires a non cloud-based contractor to deliver certain security services. The organization can require that the contractor provide security services at the organization’s site, thereby allowing the organization to directly monitor the contractor’s performance. Cloud computing thus in effect boils down to almost the same security issues as does the issue of outsourcing/offshoring, something that is hardly a new issue in information security.
• Finally, I heard a fascinating short talk by John Sherwood, the creator of the SABSA security architecture model, in which he addressed possible solutions to the many risks that cloud computing introduces. He proposed the emergence of “trusted security brokers,” middle men who can provide security in the cloud by monitoring cloud traffic and serving as an intermediary between an organization and cloud service providers. What exactly these intermediaries are able to do and how they are able to do it remains unspecified, but at least we now have a tangible possible control mechanism capable of at least to some degree mitigating the monstrous risk that cloud computing creates.
That’s it—I won’t keep harping on a subject that I really don’t like. Remember when in the mid-1990’s information security conferences had one PKI-related session after another? I soon tired of the subject, and felt that the hype far outweighed substance. The same is true about cloud computing. Seasoned security professionals are going to have to endure numerous presentations on this subject at information security and other conferences for years to come. But then, just as in the case of PKI, the hype will quickly die down and security professionals will quickly turn to other issues. Thank goodness, but in the interim, having to endure all this hype is going to continue to be painful.