Friday, December 25, 2009

Cloud Security FUD Addressed with Executive Overview
- guidance and news as 2009 comes to a close

(Updated 11/24/2011)

Cloud computing technology and solutions hit many critical infrastructure organizations head on in 2009, transitioning from being a vague concept to a must-have, at times mandated, in-house technology for many, a.k.a. private clouds. During this time, vendor offerings hosted in public cloud settings increasingly also provided quick start, low cost, flexibility with extensive integration options.. without much of the extra lifting and hassles running all the footprint requirements in-house. While some state that clear cloud security standards are still years off, the reality is we're already well into the realm of having to deal with public and private cloud security issues- especially at the business network level.

The following provides a good executive thumbnail of what decision makers need to understand in addition to the latest in more specific guidance for secure cloud computing:

  • The Busy Executive’s Quick Cloud Computing Reference Guide - Virtualization Journal Dec 2009 — As an executive, you may be hearing many different viewpoints about Cloud Computing; some of them promising significant IT cost reductions and reductions in capital expenditures. Don't get caught off guard regarding all the technical complexities of developing and offering Cloud Computing services, the whole reason you're considering this option is so others will take care of these factors for you. Although you still need to be an educated consumer, you don't need to be in the weeds to ensure you're not caught with your pants around your ankles if you decide to use Cloud Computing services.
  • Guidance for Critical Areas of Focus in Cloud Computing- Version 2.1 - Dec 2009 (76 pages). The Cloud Security Alliance (CSA) newly released second version of guidance for secure adoption of cloud computing services provides more details with a good overview, addressing risks and timing, and helps simplify the decision process involved. This non-profit released their first version during the 2009 RSA Conference.
    Excerpt- It is hard to believe that just seven short months ago, we pulled together a diverse group of individuals from all corners of the technology industry to publish the first “Security Guidance for Critical Areas in Cloud Computing.” Since its launch, this seminal publication has continued to exceed our expectations for helping organizations around the world make informed decisions regarding if, when, and how they will adopt Cloud Computing services and technologies. But over those seven months our knowledge, and cloud computing technologies, have evolved at an astounding rate. This second version is designed to provide both new knowledge and greater depth to support these challenging decisions.

    11/24/2011 Update
  • The Cloud Security Alliance (CSA) released Security Considerations for Critical Areas of Cloud Computing- Version 3, 11/14/2011

  • NIST Cloud Computing Project Site. NIST's Role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards.
Of course, there is devil in the details which vendors are working feverishly to address and differentiate with. Microsoft's cloud undergoes annual audits for PCI DSS, SOX, and HIPAA compliance, as well as internal assessments throughout the year. Remarkably, the Microsoft cloud has also obtained IS/IEC 27001:2005 certification (this year) in addition to SAS 70 Type 1 and II attestations. ISO 27001 (formerly ISO 17799) remains one of the best information security standards available - a superset when compared with other standards (more). Microsoft's Azure branded public cloud computing platform long in development, is set to go live on New Year's Day. Plans include expanding the new technology into customer settings.

At a technology execution level, the release of vSphere in early 2009 extended VMware's lead with significant performance, features, and security improvements - a game changer - which includes robust Cisco Nexus 1000V software appliance support. Regardless of technology mix deployed, many organizations are coming to grips with virtualization's broader implications and working to spin up capabilities while the technology race presses on.

Bottom Line for Critical Infrastructure. The implications go well beyond the basic virtualization strategy of seeking tactical operational benefits with fewer physical servers and more virtual servers. For even the most critical infrastructure settings, private cloud (aka virtualization) computing is increasingly a must have for any new large investments going forward. The cloud technology benefits are compelling (fault tolerance, hot recovery, managing growing functional and regulatory complexity, layering defenses, etc) even while introducing its own complexity and risks to manage. The future will have layered information landscapes, and underlying systems, networks, and storage increasingly virtualized and extending deeper into and well beyond the comfort zone of today's typical organizational and outsourcing boundaries.

  1. Five big Questions about cloud computing, InfoWorld, Dec 28, 2009
  2. Secure the Datacenter, Secure the Cloud - Microsoft Federal Blog, Oct 2009
  3. Cloud Computing Deep Dive Special Report (21 pages)- InfoWorld, Dec 2009
  4. Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives (10 pages)- ISACA, Emerging Technology White Paper & more, Oct 2009
  5. Microsoft Thrive Live! IT Professional Virtualization Tour Podcast
  6. VMWare vSphere Podcasts Series & YouTube VMwareTV Channel
  7. Cloud Computing Grows Up - Forbes, Dec 22, 2009
  8. Plug Into the Cloud- InformationWeek's Cloud Computing Destination - perspective, hot topics