Andy Mulholland, CTO, Capgemini
At the beginning of the week I had made a note to examine the latest views on security presented at the annual RSA Conference 2011 . I noticed that the Cloud Security Alliance Summit who were present at the RSA Conference running their own stream had the US government's CIO Vivek Kundra talking about moving government data into 'the cloud' . It certainly sounded as though he was confident on the data security front, and his presentation was compelling from the perspective of numbers and savings to be made. The desire to close 800 government data centres (roughly half the total) by 2015 to bite into the $80 billion operating costs of today is a target and argument that makes sense.
Does that mean the security worries, not just of data centres but of the whole user's browser-based decentralised security model, are solved? Well the Cloud Security Alliance guys were as you might expect very positive, but the work at the mainstream RSA event looked more like a real in-depth solution was on its way. The one big thread that seemed to be running through the big technologists' presentations was a consistent focus on 'endpoint' security.
Bill Veghte, HP's Executive VP of Software and Solutions provided a good definition of the what and why of this shift in thinking by pointing out that there is a shift from enterprise IT to consumer IT redefining the fabric of the environment as different devices, smartphones, iPads etc, often owned by the employees are being used at different locations and times to perform enterprise work. “The reality is that the way apps and services and business processes will be delivered is changing in a big way. We have to address the reality that the user is more empowered than ever before”. There was surprisingly little coverage of this presentation, not helped by a single paragraph on the HP press site, which seemed to suggest that this was a routine effort, but at least a couple of reporters did catch it.
Scott Charney Microsoft Corporate VP for Trustworthy Computing added more detail to his whitepaper from last year in which active measures to quarantine devices that are considered by the 'Internet/web' global community as a whole to be dangerous would restrict higher level functionality whilst maintaining basic functionally to 'deal with the problem device/user'. Scott chose to use the metaphor of smoking and public health to make his point; “Collective defence is better than individual defence, but we need to be applying public health models to the Internet. ...Smoking used to be considered a personal decision based on the individual's attitude to the risk. Once the dangers of second hand smoke were understood, public health rules applied because common good was threatened. The same is true for the Internet”. A summary of the full presentation is available on the Microsoft press site
Ambika Gadre, Senior Director of Cisco Security Business Unit, summed it up neatly with the comment; “We need to rethink the entire Security Architecture, the endpoint is fracturing into a million directions”. You can see his personal video chat on YouTube on how Cisco is addressing this.
So what is the link to the US government CIO feeling confident enough to move entire data centres to the cloud? Just that! He is talking about the recognisable enterprise IT model of centralisation which is still defendable in recognisable ways around guarding access from the defined users almost certainly working from traditional offices on government owned and managed machines. Move one data centre from government ownership to another site where it is operated by an efficient hosting operator and the issues are definable.
In fact they are so definable that the European Union Agency ENISA, European Network and Information Security Agency, back at the end of 2009 published a downloadable report that over 125 pages clearly identified all of the issues that were risks in a move of the kind that the US government's CIO is making and its summary was;
The key conclusion of this paper is that the cloud's economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost effective.
What is really at stake here is the cold hard definition of shared service centres running enterprise IT applications where the risk is centred on location change rather than change of use.(Though one can add an emotive risk around loss of local control.) It's popular to call this 'cloud' but in fact it is a continuation of the current evolution of data centre optimisation around heavy virtualization. A genuine cloud is based on browser/cloud technologies to provide user driven consumption (and creation) of 'services' from a variety of devices and locations.
That's a very different security challenge and what is clear from the presentations at the RSA Conference is that the industry agrees on the core of the approach that it is taking to resolve it. From an operational point of view today the trick is to recognise the difference and keep the two environments apart!