Friday, February 12, 2010

Perceptions on Security and Cloud

So, I attended the Westminster eForum this week to join a panel in their Cloud Computing event, graced by none other than Reuven Cohen, yes he of the Cloud Camp! While my panel session was all about the benefits of the Cloud to organisations in Public and Private Sector, much rehearsed and not to be repeated here, I was more taken by the discussion in the following  panel which focused on Cloud Security. In particular, discussion centred around the differences between security vulnerabilities in the Cloud, versus security vulnerabilities in the tradition context. I have previously observed that the Cloud might give at least one genuine advantage over the corporate firewall, it will be hard, if not impossible to physically steal an asset when you don't  know where it is! Hard to break in to a data centre when you don't know which one has the data!

But seriously, the real difference is what happens when you remove the illusory security of the corporate firewall, remember your biggest risk comes from within, and therefore users will have to secure applications and their data in isolation from the environment in which they are executed. Isn't this much like the discussion of deperimterisation which was raging a few years ago, operating securely across the internet for decentralised organisations? What does it take to operate securely in the Cloud? It seems that the way to think about this is to imagine deploying a service in which each component is secured, from virtual machines which are pre-configured with anti-malware, robust, multi-factor identity and authentication procedures,  information which is encrypted during transmission and storage and processes which are self-cleaning on completion or abortion of  execution.

It seems to me that this is common sense and a good example of systems engineering at work. After all, does the opposite hold true? I.e. that you can leave information lying around anywhere within the firewall because only employees (and contractors) can access them via the intranet. I think not. I guess that there is no substitute for some hard work!

Labels: ,

posted by Ian Osborne, Grid Man Now! @ 9:26 AM 1 comments