After a quick meeting down the street, I made it back within a few minutes of the start of Dana Gardner’s panel on cloud security, including Glenn Brunette of Sun, Doug Howard of Perimeter eSecurity, Chris Hoff of Cisco, Richard Reiner of Enomaly and Tim Grant of NIST.
There was a big discussion about what should and shouldn’t be deployed to the cloud, echoing a number of the points made by Martin Harris this morning, but with a strong tendency not to put “mission critical” applications or data in the cloud due to the perceived risk; I think that these guys need to review some of the pain points that we gathered in the business scenario workshop, where at least one person said that their security increased when they moved to the cloud.
One of the key issues around cloud security is risk assessment: someone needs to do an objective comparison of on-premise versus cloud, because it’s not just a slam-dunk that on-premise is more secure than cloud, especially when there needs to be access by customers or partners. It’s hardly fair to hold cloud platforms to a higher level of security standards than on-premise systems: do a fair comparison, then look at the resulting costs and agility.
The panel seems pretty pessimistic about the potential for cloud platforms to outperform on-premise systems: I’m usually the ultra-conservative, risk-averse one in the room, but they’re making me feel like a cowboy. One of them used the example of Gmail – the free version, not the paid Google Apps – stating that it was still in beta (it’s not, as of a week ago) and that it might just disappear someday, and implying that you get what you pay for. No kidding, cheapskate: don’t expect to get enterprise-quality cloud environments for free. Pony up the $50/user/year for the paid version of Google Apps, however, and you get 99.9% availability (less than 9 hours of downtime per year): not sufficient for mission-critical applications, but likely sufficient for your office applications that it would replace.
A lot of other discussion topics, ending with some interesting points on standards and best practices: for interoperability, integration, portability, and even audit practices. You can catch the replay on Dana Gardner’s Briefings Direct in a couple of weeks.
That’s it for the Enterprise Architecture Practitioners Conference. Tonight is CloudCamp, and tomorrow the Security Practitioners Conference continues.
Sandy,
I would not consider myself too conservative here! Unfortunately, until you get to the specifics of a customer, their application and data, etc. it is hard to have any specific recommendations. It is even more complicated when the panel is flexing between Software, Platform, and Infrastructure as a Service, public/private and hybrid models, etc.
That said, I would agree that for large enterprises, mission critical is not the place to start today although for some SMBs it very well may as their security will many times not be any worse. As you rightly point out, with the right provider, an organization’s security capability may increase when moving to a cloud computing provider. I believe that in the near future this will continue to grow more and more true. For enterprises, however, it is _very_ likely that they may be able to use Cloud Computing for some subset of applications, workloads, or use cases. Amazon is quite fond of citing examples of organizations like the NY Times, Animoto, NASDAQ, and others using the cloud for things such as one-time processing, resource augmentation, functional offload, etc. I think we are just starting to unveil the use cases and more will surface as cloud computing matures.
So, please do not take the comments of the panel as negative on cloud computing or its use by enterprises. As with anything, we must exercise due diligence, understand the risks and rewards, and make sound business decisions once we decide whether a given provider (or internal cloud implementation) is appropriate for a given workload or dataset.
Thanks for your feedback! Love to hear more!
Glenn