Johannesburg, 29 Apr 2010
Three quarters of UK CIOs see security as being the major barrier to cloud adoption, and yet, if you take a look at a Wikipedia entry on cloud computing, security is listed as one of the key characteristics of cloud-based services. How can this be?
One of the reasons for this apparent contradiction must surely lie with the language itself, and not the technology. We already know that the term “cloud” when applied to technology has a different meaning to everyone who uses it and everyone who hears it. Hell, the term “cloud” when applied to clouds has a multitude of possibilities! The truth is, though, that the same is true of the term “security”.
If you talk to a sysadmin, a network admin, a coder, a hacker, a security guard, a facilities manager or a three-star general about security, then once again they will each have their own understanding of the definition, the aims and the means of achieving that elusive “security”. If you ask a C-level executive what security means, especially in the context of cloud, then they will have a different understanding again.
To an executive, security is all about control and accountability. Data and the management of data are the asset and the task that are currently mostly considered for delegation to cloud providers.
Today's legislation places a burden and corresponding sanctions on corporate executives to ensure that the data they hold is stored and processed in a secure manner. Future legislation promises to extend this burden of accountability, and the penalties for non-compliance can be severe, stretching even to jail-time.
When your most precious assets are tucked up tight in your own data centre, handled by your own employees on physical systems that you can secure discretely, then creating an audit trail and accountability is far simpler. The control remains with the data owner. In the cloud environment as it currently stands, much of this control is outsourced, but none of the accountability.
Virtualisation, multi-tenancy and storage area networks are the technological engines powering cloud services. The rapid provisioning of virtual machines across highly scalable, highly available infrastructure gives cloud providers the economic advantage that is their business promise.
Cloud customers need to be secure in the knowledge that they retain control over the secure perimeter of their virtual machine, and that it is not dependent on any configuration at the provider end.
Cloud customers need to know their data is sufficiently encrypted in the SAN that it cannot be accessed or used by anyone other than those who hold the keys, and that the keys are not held by the cloud provider.
In order to increase the acceptability of cloud to the enterprise executive, we need to design tools that ensure control over the security of key underlying technologies. It is only when a CIO has control that they can reasonably be expected to accept accountability.
* Trend Micro solutions architect Rik Ferguson will deliver a talk on “Why in-the-cloud security technologies are the answer” at ITWeb's Security Summit, which takes place from 11 to 13 May, at the Sandton Convention Centre.
Related story:
Cloud-nomics - utility computing goes criminal