Reed helped draft the IT giant's security framework for the new fast-changing world of cloud computing and works with enterprise consumers who all want to know how to use cloud safely. Only partly in jest, he defines cloud computing as highly elastic, scalable, self-service, on-demand, programmatically accessible, and "probably secured."
What's a top down view of cloud and cloud security for the enterprise right now?
Archie Reed: There's data protection and privacy management, which go together to talk about maintaining integrity and availability. Next, you think about the governance, risk and compliance model around and on top of that. Then you work out the identity and access pieces -- this is classic security management. Fourth is the infrastructure security components, what changes and what doesn't.
Fifth (this is the taxonomy we use as part of the HP methodology) is the readiness aspect, and that is, "Are you and the providers ready?" Have they got the right team in place, have they got right legals, contracts, all those sort of classic things around a project. What IT [on the other hand] has got to realize is that they aren't the only players in the game. They do need to bring in legal; they do need to bring in contract negotiators.
What does a business unit wanting cloud need to watch out for, since, as you say, IT can't just go in alone and shoulder the responsibilities?
AR: There are some things companies need to watch out for. There's no liability. There's no recourse other than the legal system if something goes wrong. If you're dealing with small providers, what are you going to do? There's no recourse if contracts don't mention that the architecture may change on the back-end and outsource to India, yet you've got something that requires your data to remain in a geographic location.
Unless you're looking at all those things and have that negotiated in properly, you have no controls, not even any recourse, and that's not the job of the IT team, right? They can take a look at the architecture and say, "That's great," but they're not in a position to look down the line and say, "OK, how are we going to make sure this doesn't impact us long term?"
Will cloud providers try to address security with new features? They could start charging half a cent for disk-to-disk encryption, a penny for encryption at rest, for example. Is that a viable market model for enterprises who need security functions and public cloud providers who need economies of scale?
AR: I think this is key. If we do cloud services correctly, that will be an option...the rate you could charge is still open for debate, since not many are trying that sort of thing. There will come a point where there will have to be some level of security. If a customer comes along and says, "If you want me to use this, I've got to have this sort of encryption and I've got to manage the keys." Well, great, go to Amazon and away you go -- they only provide the infrastructure and you can encrypt, basically, from the virtual machine up. It's entirely up to you and you take the cost on.
However, once [cloud providers] work out that customers want those things, they'll make it a standard part of their platform.
But that's aftermarket, bolt-on security. You've still got this new consumption model wherein, at a baseline, fundamentally, you are on your own.
Where does HP come down on cloud security and standards for the industry? There are emerging standards, but it's completely unclear how or even if security standards based around cloud will shake out.
AR: For a start, HP is trying to work with as many of the standards groups as we can. We were involved in the formation of the Cloud Security Alliance. While the first and arguably the second release of their guidelines are certainly descriptive rather than prescriptive, they are certainly moving the right direction. It's very difficult; we are talking about a vast range of functions and services.
We are working very closely with the Jericho Forum, Oasis, the DMTF, the Trusted Computing Group, ITIL; we have leadership or supporting roles in all of these and more. We certainly push for looking at the applicability of things like SAS 70 and traditional ISO2700 models, although they don't cover everything.
What is the bottom line for the business unit management team on cloud computing?
AR: The final point that I always make is you can either be afraid of cloud computing -- in fact, don't be afraid, be very afraid -- or you can be prepared.
I talk to a lot of folks that say, "We've got a policy in place that says no cloud computing. No one is allowed to go outside the company." And I say: "That's an interesting approach. Do you remember things like Microsoft Access or Lotus 1-2-3 and Microsoft Excel coming in to your finance departments without your knowledge? And having to clean it up afterwards?"
If you aren't on top of [cloud computing] and don't understand the change in your role to mediator or a service provider to your company, then you are going to be disintermediated.