Thursday, October 22, 2009

I really don't know clouds (computing) at all....

To someone who doesn't work in computers and technology, the term "cloud security" conjures up visions of St. Peter at the pearly gates checking a person's record. Yet, in the tech space, the term "cloud" means the storage of data. According to the folks at, "Cloud computing is a general term for anything that involves delivering hosted services over the Internet. These services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The name cloud computing was inspired by the cloud symbol that's often used to represent the Internet in flow charts and diagrams."

I recently did an interview for another blog on the topic with Josh Zachry systems security lead, Rackspace, and Jeff Reich, director of cloud security research, the University of Texas at San Antonio, as part of the publicity efforts to get people to attend the upcoming Austin Innotech, Oct. 29 at the Austin Convention Center. Zachry and Reich will speak at 3:30 p.m. on this topic at Innotech Austin on Oct. 29. As I thought people in San Antonio might learn something from this interview, I thought I would share in this blog.

Question: What are the biggest challenges with cloud security?

Zachry: It really depends on the type of cloud offering (IaaS, PaaS, SaaS) and the way in which a cloud consumer or potential consumer plans to use the offering. Awareness seems to be a big challenge right now for both cloud providers and cloud consumers. Ultimately, cloud computing is a technology platform that does some things well and others not so well. It's important for cloud consumers to make sure they are using
a cloud computing solution appropriately. It's also important for cloud providers to provide the needed information to consumers so they can make the right decisions.

Question: Is there a need for a single standard for cloud security?

Reich: This is a difficult question right now. I don't believe there is a need for a single cloud security standard at this point in time. The reason for this is due to the differences in cloud computing platforms and the ways in which competing providers deliver and service those platforms. I believe that more discussion should focus on data and information that may be exposed within the different platforms (IaaS, PaaS, SaaS) and guidelines for protecting the confidentiality, integrity and availability of the data in question.

Question: What kind of issues do security professionals need to address to protect a cloud database?

Zachry: It depends on a number of factors. For example, the types of information or data stored in the database (this will drive a number of protection requirements). Also, the authentication solution used (SSL, API, VPN, etc). Again, it really depends on the types of data and information being stored.

Question: Is there anything else we should know about the future of cloud security?

Reich: Cloud computing security will continue to be an important and dynamic topic. Cloud computing promises great capabilities and efficiencies at a reduced price. This naturally compels individual consumers and businesses to leverage cloud computing solutions for needed computing capabilities. What must not be ignored, however, is that cloud computing is prescriptive at this point. It's important that everyone become engaged and learn more about cloud computing capabilities.

No comments: