A few years ago, Boeing's E.J. Jones had a bright idea. An IT security professional specializing in software, he wanted to get a source-code review application out of his hair and onto Amazon Web Services (AWS). It would suit the application and his needs perfectly, be ridiculously inexpensive in relative terms and not burden his infrastructure team.
The way the term [cloud computing] is thrown around is phenomenal.
E.J. Jones, IT security professional at Boeing,
The problem was that Jones, besides being naturally cautious, works for an enterprise that takes nothing lightly, especially security. Boeing needed a way to fit the cloud computing concept into its organization; Jones and his IT security division were tasked to find a way.
"I wanted to put one of the first Boeing apps out in the cloud," Jones said. The impetus for turning to cloud computing for small projects was the familiar refrain of easy, cheap and fast. "We don't have the bandwidth, so let's use the cloud," he said.
Boeing looks to evaluate cloud providers
While technically feasible, moving the idea through Boeing's complex organizational structure was the real challenge. Jones said the security team wanted to develop a process and a framework for cloud that was both cohesive and practical, but they ran into many legal, strategic and practical roadblocks.
Jones forged ahead, developing a methodology for evaluating what a cloud provider could and could not provide. The security team started with a standard request for proposal (RFP) that targeted cloud vendors rather than the usual suspects for contract work at Boeing.
"The responses we got back were laughable," said Jones. He noted that most RFPs start with a business need, not a security protocol, so his team's initial 105-question request for information (RFI) document was a little unusual.
But it was clear that the replies coming in -- even those from top providers in cloud and managed hosting -- were the product of untrained, uninformed sales and marketing staff. Clearly, Boeing could not rely on vendors to answer for their own products.
Jones said the solution was an impartial scorecard evaluation of providers. Boeing designed a five-part checklist and graded each provider. The requirements included questions like, "Can a provider tell us when and how a failure has occurred?" and "Can they guarantee uptime?" Jones said these were the questions most often failed by cloud providers.
He said that a failure in one category meant a failure all around; as a security practitioner, he could not "grade on a curve" and say that a service was "sort of" safe. He was also surprised at what he learned from the process, as security was usually brought up last on a work contract, not first. He found himself learning about things he had previously been able to ignore.
"As an information security professional, I didn't know service-level agreements (SLAs) too well, I didn't know legal," he said. "Well, I do now."
Navigating the cloud maze internally
Jones added that a large part of the job was navigating the organization. He remembered the day he presented some of their findings to his Chief Information Security Officer (CISO). An important company lawyer was present, and despite Jones's extensive consultations with legal staff, the head lawyer did not know that Boeing was considering the use of external services for IT applications. It was a complete surprise to him. That, Jones said, was an interesting meeting.
Boeing was able to create a template for assessing and engaging cloud computing providers, Jones said, but many headaches could be dissolved for enterprises and providers alike if better security standards were adopted and industry-wide.
As an information security professional, I didn't know service-level agreements too well, I didn't know legal. Well, I do now.
Vendors need to offer security-rich services that would tempt enterprise users out of the box, Jones said. The rest of the IT service industry, he added, was compounding the problem at a staggering rate by mis-labeling traditional offerings as cloud. "The way the term is thrown around is phenomenal."
Jones is currently integrating the Cloud Security Alliance's guidance and recommendations into the work being done at Boeing. Jones said the Alliance's work parallels his own learning curve and was therefore a decent model for enterprises to start with. He said that his department had carried out 30 evaluations for cloud providers already, and there were no shortcuts. "It does take a lot of time, from a security perspective," he said.
In a final analysis, Jones said, cloud computing is obviously worth doing. The only practical way for an enterprise to approach it safely, however, is to steer clear of propagandists and boosters, perform security (and legal) due diligence, and pressure cloud vendors for clear, meaningful technical information that conforms to universally understood standards.
"If we are all speaking with one voice, maybe it will sink in," he said.
Carl Brooks is the Senior Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.