Kim Cameron,Chief Architect of Identity at Microsoft, reports on a disturbing trend at a seminar on cloud computing from his IdentityBlog:
A few weeks ago I spoke at a conference of CIOs, CSOs and IT Mandarins that - of course - also featured a session on Cloud Computing.
It was an industry panel where we heard from the people responsible for security and compliance matters at a number of leading cloud providers. This was followed by Q and A from the audience.
There was a lot of enthusiasm about the potential of cutting costs. The discussion wasn’t so much about whether cloud services would be helpful, as about what kinds of things the cloud could be used for. A government architect sitting beside me thought it was a no-brainer that informational web sites could be outsourced. His enthusiasm for putting confidential information in the cloud was more restrained.
Quite a bit of discussion centered on how “compliance” could be achieved in the cloud. The panel was all over the place on the answer. At one end of the spectrum was a provider who maintained that nothing changed in terms of compliance - it was just a matter of oursourcing. Rather than creating vast multi-tenant databases, this provider argued that virtualization would allow hosted services to be treated as being logically located “in the enterprise”.
At the other end of the spectrum was a vendor who argued that if the cloud followed “normal” practices of data protection, multi-tenancy (in the sense of many customers sharing the same database or other resource) would not be an issue. According to him, any compliance problems were due to the way requirements were specified in the first place. It seemed obvious to him that compliance requirements need to be totally reworked to adjust to the realities of the cloud.
Someone from the audience asked whether cloud vendors really wanted to deal with high value data. In other words, was there a business case for cloud computing once valuable resources were involved? And did cloud providers want to address this relatively constrained part of the potential market?
The discussion made it crystal clear that questions of security, privacy and compliance in the cloud are going to require really deep thinking if we want to build trustworthy services.
The session also convinced me that those of us who care about trustworthy infrastructure are in for some rough weather. One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don’t need encryption”.
I have to say I almost choked. When you build gigantic, hypercentralized, data repositories of valuable private data - honeypots on a scale never before known - you had better take advantage of all the relevant technologies allowing you to build concentric perimeters of protection. Come on, people - it isn’t just a matter of replicating in the cloud the things we do in enterprises that by their very nature benefit from firewalled separation from other enterprises, departmental isolation and separation of duty inside the enterprise, and physical partitioning.
I hope people look in great detail at what cloud vendors are doing to innovate with respect to the security and privacy measures required to safely offer hypercentralized, co-mingled sensitive and valuable data.