17-01-2013, 10:08 AM
Cloud Computing Security Considerations
Cloud Computing.ppt (Size: 1.29 MB / Downloads: 63)
Introduction
As you likely already know, there's a LOT of hype associated with cloud computing. I'm sorry about that (but I can't fix that)
Cloud computing is a huge topic. It encompasses diverse models and technologies, even though users and the trade press tend to lump them under a common name. Covering all potential security issues in 20 minutes is simply impossible.
For that matter, please note that we're still discovering many of the security issues which will challenge cloud computing!
Why? In part, that's because cloud computing is still a work-in-progress. Because it is rapidly evolving, what I tell today you may quickly become irrelevant or obsolete.
Nonetheless, there's so much thrust behind cloud computing that we simply don't have the option of sitting back and waiting to understand address cloud computing security issues.
What's Driving Cloud Computing? Drivers Include…
Thought leaders: Amazon, Google, Microsoft and many other Internet thought leaders have all aligned behind the cloud
The economy: Because cloud computing should theoretically help sites avoid major new capital expenditures (capex) while also controlling some ongoing operational expenses (opex), cloud computing is potentially a "lifesaver" for financially strapped businesses, including many major universities.
The Feds: Cloud computing has substantial momentum in Washington DC: it was featured in the just-released federal IT budget; Vivek Kundra, the federal CIO, has championed creation of http://apps.gov/ , a “one-stop shop” for cloud computing services for federal agencies; DISA has created a very successful cloud computing project called "RACE;" and Howard Schmidt, the new federal cyber security coordinator, has said that securing cloud computing will be a top priority.
Our Community Is Also Pressing Ahead
Cloud computing seem to be turning up on pretty much every networking and security mailing list I'm on
You've heard/will be hearing a number of cloud computing talks during this week's meeting, which is probably not surprising since cloud computing was one of Joint Tech's explicit focus areas.
But I'm seeing clouds everywhere, not just here at Joint Techs.
Heck, I'm even seeing "clouds" (with frequent references to security!) appear in things like the last Internet2 Member Meeting "Introduction to Internet2" talk
Why Is "Security" Everywhere on That Slide?
Security is generally perceived as a huge issue for the cloud:
During a keynote speech to the Brookings Institution policy forum, “Cloud Computing for Business and Society,” [Microsoft General Counsel Brad] Smith also highlighted data from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general population. The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security.
Cloud Computing Is Many Different Things to Many Different People
All of the following have been mentioned from time to time as examples of “cloud computing:”-- Amazon Web Services including the Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), etc.)-- Rackspace Cloud (formerly Mosso)-- Google’s App Engine-- Windows’ Azure Platform (production/for-fee as of today!)-- the OGF (including its Open Cloud Computing Interface)-- SETI@Home, Folding@Home, distributed.net, etc.-- outsourced campus email service (to Gmail or Live.com), or outsourced spam filtering (e.g., to Postini or Ironport)-- use of virtualization (e.g., VMware) to host departmental systems either on local servers, or on outsourced VPS
In reality, some of those activities are not (strictly speaking) what's usually defined as "cloud computing,"
Cloud Provider Transparency
You will only be able to assess the sufficiency of cloud provider security practices if the cloud provider is willing to disclose its security practices to you.
If your provider treats security practices as a confidential or business proprietary thing, and won't disclose their security practices to you, you'll have a hard time assessing the sufficiency of their security practices. Unfortunately, you may need to consider using a different provider.
Remember: "Trust, but verify." [A proverb frequently quoted by President Reagan during arms control negotiations]
I'm not known for being a big Microsoft cheerleader, but Microsoft deserves recognition for promoting both their Cloud Computing Advancement Act and pressing cloud vendors to police themselves when it comes to transparency.