I was reading an article titled “It’s Our Time” by Randy V. Sabett in this month’s ISSA Journal while drinking my morning cup of coffee when I came across a paragraph discussing the annual Cryptographers Panel at the most recent  RSA Conference held in San Francisco. Randy writes that the “annual Cryptographers Panel provided excellent insights, including Whit Diffie being ‘bullish’ on cloud computing and comparing it to the last game-changing technology (being radio).” This made me think for a moment about what exactly is cloud computing, why this would be a topic of discussion, and what connection security has to cloud computing.

So what is cloud computing? Wikipedia describes cloud computing as “a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure ‘in the cloud’ that supports them.” Wikipedia goes on to write “the term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams, and is an abstraction for the complex infrastructure it conceals.”

An excellent video from rPath explains cloud computing better than I would be able to with strictly text:

Now that we have a grasp of what cloud computing is and can do for us, why would this be a topic of discussion for the Cryptographers Panel at the RSA Conference? Again, another excellent video:

“I believe cloud computing will get to (the point) where no real program…will be done anymore on the computers of the company that’s doing it” said Whitfield Diffie, chief security officer at Sun Microsystems. I found this quote to be insightful and thought provoking. If a remote data center is housing your businesses applications and is providing the computing on a “pay as you go” basis, how does this alter the traditional security model? What role do security professionals have in this type of business model? Are attacks more or less likely with this model? If we compare the cloud computing model to the classic client-server model, as suggested by Bruce Schneier, chief security technology officer at BT Counterpane, then one wouldn’t expect any drastic changes. However, as Adi Shamir, a computer science professor at the Weizmann Institute of Science in Israel, states in the video “while a virus or other problem on a desktop computer can be a big annoyance, computation centers in hosted computing could spread problems more widely”.

My perspective is this: cloud computing provides great benefits to businesses who are unable to support their own data centers. From a security standpoint the same time-tested perplexing questions arise when a problem does occur. Who becomes responsible? If a critical problem occurs that cripples a businesses ability to function properly, does the data center providing computing resources to the business suffer the losses, are the losses shared, or does the business who relies on this particular data center solely suffer the loss? What security frameworks, models, and standards will be deployed to ensure information security in the cloud computing model exists? As part of their business continuity plan should businesses create redundancy by involving more than one data center? How are users controlled and more importantly, how is the data controlled, used, and processed?

The research firm Gartner additionally raises seven cloud computing security risk questions that I feel support my questions:

• How is privileged user access handled? What controls are in place for these users?
• Are regulatory compliance standards followed?
• Where will the data physically be located?
• How will your data be segregated from other customers’ data?
• In the event of an emergency or disaster, how will your data be recovered and by whom?
• Is there investigative support for inappropriate or illegal activity if needed?
• Does the computing provider seem like a long-term viable solution?

Resources:
1. http://en.wikipedia.org/wiki/Cloud_computing
2. http://news.cnet.com/8301-1009_3-10224190-83.html
3. http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853