Cloud Connections: Cloud represents ‘reset button’ for security ecosystem

Las Vegas - Cloud providers and IT pros need to figure out how to secure the cloud in the next 12 to 18 months, said Jim Reavis, executive director of the non-profit Cloud Security Alliance, at today’s Cloud Connections event here. While many PC and network security approaches have taken decades to coalesce, “I don’t think we have 25 years to figure [cloud security] out,” Reavis said, adding that once the foundations of the cloud are built, “it [will] be very hard to change things.

That said, the evolution of security out to the cloud is no small change. Rather, it represents a fundamental “reset” for the entire security industry. The cloud changes fundamental assumptions about how data is managed and processed, which leaves not only security professionals but enterprises and government/regulators scrambling to understand all the implications. Among the questions raised, Reavis said: is my cloud compliant? Do I know where my data is? Can I move my data and apps from one cloud to another? Will hackers get me? Will the risk associated with the cloud get me fired?

The time to address those questions is now, he said. In fact, today’s evolving “hybrid” environments – a blend of internal systems, fledgling cloud relationships and a wave of phones and tablets accessing both environments with very little IT oversight – already represent massive change. “For security professionals, this is like the worst case scenario. But it’s where the world is going.

“All the physical and security controls that we have developed and maintained need to be moved to a virtual world,” Reavis added. “That’s a big challenge and creates a lot of fear.”

Reavis advised attendees to start thinking more strategically about the cloud now. IT architectures must begin to evolve to support the new hybrid enterprise spanning private and public clouds. Federated identity management must become a reality to secure access across this new environment. Service oriented architecture (SOA) principles should guide application development, especially the principle of loose coupling of data and APIs for app dev flexibility And, finally, IT should consider the cloud as an option for ALL new IT initiatives, while at the same time working hard to understand the risks the cloud represents.

The Cloud Security Alliance, with more than 19,000 individual and 100 corporate members, is focused on helping the industry address those challenges. One of its core activities is publication of CSA Guidance Research, which outlines best practices for security the cloud (see it at wiki.cloudsecurityalliance.org/guidance).

Driven out of that research, Reavis provided a checklist of areas cloud evaluators should consider:

Governance – including securing proper service level agreements (SLAs), contracts and architecture planning with cloud providers, as well as understanding the third-party companies that cloud providers do business with.

Legal – plan in advance for how you terminate your relationship with a cloud provider and manage how your assets are returned

Compliance – identify the physical location of your data whenever possible

Portability and interoperability – adhere to SOA loose coupling principles to counter cloud provider interest in locking in customers. “This is key to determine whether or not we put enterprises in the driver seat,” Reavis said, compared with today, where most enterprises are absolutely reliant on several key platform vendors. If not, “then we’re just changing out one benevolent overlord for another one [in the cloud].”

Disaster recovery – understand the cloud provider’s data practices and how well they match your own

Data center operations – investigate things like provisioning, patching and logging, which are often non-standard in cloud environments today

Encryption – whenever possible, encrypt data and segregate key management from your cloud provider

Virtualization – understand how cloud providers deal with hardening, rollback and porting of VM images

Identity management – adopt not only the principles of ID management, but key standards as well, including SAML and Open ID

Reavis closed with his thoughts on what might come next with the cloud, or Cloud 2.0, as he called it. Among his conjectures: the future of the cloud might be even less centralized, and much more grid-like, than we think. He also warned that if the IT industry isn’t careful, the government could step in and regulate the cloud, such is both the complexity and import of this IT evolution.

And finally, Reavis predicted that four of the largest IT vendors in 2020 won’t even be on the radar today – yet another way of predicting the massive change the cloud may well bring about.