Sunday, October 12, 2014

What do people mean by cloud security?

Security continues to top the charts when IT folks are asked what thing most gives them pause about using a cloud—especially a multi-tenant public one. This invites the retort: “Do they think you know how to better secure systems against attackers than Amazon?” Probably not. But “security” in this case often means something quite different than just keeping the bad guys out.

A general observation that isn’t particularly original. Back in 2011, I was writing about how cloud governance was about more than security. More recently, I’ve given many presentations delving into how cloud security was a much broader topic than just security classic.

But the extent to which cloud “security” goes beyond just security classic *most classic concerns still matter as well) was reinforced during a couple of sessions at 451 Research’s Hosting + Cloud Transformation Summit held in Las Vegas last week. And they provided some color about what people mean by that “security” word as well.

In his keynote, Research VP William Fellows reiterated that security—perceived and real—continues to come up regularly in cloud discussions. However, he went on to say that it’s actually jurisdiction which is the number one question. Perhaps not surprising really given the headlines of that the last year but it reinforces that when people voice concerns about security, they are often talking about matters quite different from the traditional Infosec headaches. (Attorney Deborah Salons sat down to do a podcast with me early last year on data governance issues. The link includes a transcript for those who prefer reading.)

Providersecurity

Michelle Bailey, VP of Datacenter Initiatives and Digital Infrastructure, fleshed out these security concerns in more detail during her session. The question she was answering was a bit different: “What are the top three things that providers can do about security?” Presumably certain types of security concerns (e.g. malware in a company’s POS systems) aren’t something a provider could be expected to do a lot about. Nonetheless, I expect there’s a high correlation between someone being concerned with some aspect of security and valuing providers who can mitigate that risk.

Data locality comes up here too. This is a hot topic among cloud providers and one of the reasons, besides sheer volume, for their rush to build new data centers. In other words, people want to be able to choose, say, an Amazon region that is sufficiently constrained geographically from the perspective of judicial orders or other authority. It’s about knowing the laws to which they may be subject.

But broadly, I’d characterize the top wants as being fundamentally about visibility and control. Transparency, auditability, verifiable encryption, control over encryption. And indeed pretty much the whole rest of the list is either related characteristics or various standards and documentation to help ensure that cloud providers do the things they promise to do.

Conspicuously lacking is pretty much anything in the vein of physical security or DDOS mitigation or firewall configurations. That’s because, while important, they’re largely viewed as solved problems from the perspective of the cloud provider.

Mind you, given the shared responsibility model that comes into play when you use a cloud provider, you share responsibility for the workloads that you’re running on the cloud provider. You’re still running and patching the operating system running in the cloud. But you know how to do that; you basically do the same thing you do on-premise. (Obligatory plug for Red Hat Enterprise Linux and our Certified Cloud Provider Program here. I should have a new whitepaper out soon.) 

For these and other reasons, Michele concluded that “ the end game isn’t public cloud, it’s hybrid cloud. And you can bet on that for the next 5 years.” And that security, among other factors, will lead to hosting providers remaining a  "very long tail market” in which  messaging, targeting, and matching strengths with customer requirements will continue to offer many opportunities for differentiation. 

No comments: