Cloud computing security top of mind at RSA conference

Security practitioners voice reservations about cloud computing, and with reason.

This Content Component encountered an error

SAN FRANCISCO -- Cloud computing conversations cropped up constantly at the RSA Conference this week -- in keynotes, track sessions, at lunch, even in the restroom [Editor's note: we'll save that one to protect the innocent].

More on cloud security standards:
RSA has its head in the cloud on opening day

Microsoft pushes for cloud computing legislation

CA hooks up with Cloud Security Alliance

Discussions focused on whether it's possible to transfer existing security policies and practices to the cloud; if cloud providers are becoming a single point of failure; how to know if those providers can be trusted; and issues around cloud service-level agreements (SLAs), which many agree are not yet robust enough for enterprise IT shops.

"Consolidation equals a concentration of risk, which the banking industry is already acutely aware of these days after the financial meltdown," said Brian Koval, an information security engineer at Jack Henry Associates, an IT integrator and consulting firm in the banking industry. His firm advises banks to steer clear of public cloud services altogether and instead build cloud-like capabilities internally, he said.

During a Q&A session, one IT practitioner said cloud providers need regulation.

"No one provider should be too big to fail," Koval said, echoing the grim reality of the financial industry collapse that featured the government saving big banks from a downfall that would have a disasterous affect on the entire economy.

A matter of trust
Christopher Squires, IT specialist at the U.S. Treasury Department, said trust is the biggest issue with cloud computing.

"We own all our servers, there's a comfort level; we don't have to worry about being compromised by things beyond our control."

No one provider should be too big to fail.
Brian Koval, an information security engineer at Jack Henry Associates,

This sentiment was echoed by other cautious IT pros. Stan Szwalbenest, risk director at JPMorgan Chase & Co., said most systems the bank deals with must be "behind our bricks and mortar where we control it."

He and others are worrying about whether cloud service providers will be around a year or more from now, along with the notion of a single point of failure. "How do I ensure against this in the cloud?"

Vendors offered little relief. Vishal Kumar, senior manager of cloud security at VMware, suggested the industry needs an identity and access service to move users to the cloud securely "without IT having to reprovision them." The audit and compliance element around cloud services was also missing and would have to fall into place before enterprise IT shops are able to really embrace the cloud, he said.

Brian Snow, technical director for the National Security Agency's information assurance department, said "dynamism" was the advantage of cloud services, which is at odds with what most enterprise IT security departments require: namely, "absolute control of infrastructure" and the ability to respond to regulators.

The importance of cloud SLAs
Snow advised IT shops considering cloud services to check their SLAs very carefully.

"There's going to be a whole new slew of lawyers to write these contracts," he said.

An IT operations director with a large retail site said his company is eager to crank up machines on Amazon Web Services, but "they don't provide much of an SLA at all."

Two years ago, everyone was saying 'SOA, SOA, SOA,' and it didn't save us money.
A chief engineer at DoD contractor Mitre Corp.,

Ron LaPedis, founder and principal of Seacliff Partners, ironically, a business continuity and security consulting firm, did not read the small print of his SLA with WebHost and suffered a major outage. He suggested that companies putting their businesses in the cloud think about backing up data to different service provider.

Dealing with cloud hype
A chief engineer at Mitre Corp., a Department of Defense contractor, said everyone is following the cloud hype, and the DoD IT folks are no exception.

"They are sucked into the hype, but there is a large swath of folks who do not have operations experience in the field. There may be places where cloud makes sense, but when we're talking about people's lives in a war zone, that's the driving factor, not the fact that you can save costs," he said.

"Two years ago, everyone was saying 'SOA, SOA, SOA,' and it didn't save us money."

Jo Maitland is the Executive Editor at SearchCloudComputing.com. Contact her at jmaitland@techtarget.com.

Dig deeper on Data security in the cloud

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchSOA

SearchCRM

Close