A few weeks ago I spoke at a conference of CIOs,\u00a0CSOs\u00a0and IT Mandarins that\u00a0– of course – also featured a session on Cloud Computing.\u00a0\u00a0<\/p>\n
It was an industry panel where we heard from the people responsible for security and compliance matters at a number of leading cloud providers.\u00a0 This was followed by Q and A\u00a0 from the audience.<\/p>\n
There was a lot of enthusiasm about the potential of cutting costs.\u00a0 The discussion wasn't so much about whether cloud services would be helpful, as about what kinds of things the cloud could be used for.\u00a0 A government architect sitting beside me thought it was a no-brainer that informational web sites could be outsourced.\u00a0 His enthusiasm for putting confidential information in the cloud was more restrained.<\/p>\n
Quite a bit of discussion centered on how “compliance” could be achieved in the cloud.\u00a0 The panel was all over the place on the answer.\u00a0 At one end of the spectrum was a provider who maintained that nothing changed in terms of compliance – it was just a matter of oursourcing.\u00a0 Rather than creating vast multi-tenant databases, this provider argued that virtualization would allow hosted services to be\u00a0treated as being logically located “in the enterprise”.<\/p>\n
At the other end of the spectrum was a\u00a0vendor who argued that if the cloud followed “normal” practices of data protection, multi-tenancy (in the sense of many customers sharing the same database or other resource) would not be an issue.\u00a0 According to him,\u00a0any compliance\u00a0problems were due to\u00a0the way\u00a0requirements were\u00a0specified in the first place.\u00a0\u00a0It seemed obvious to him that\u00a0compliance requirements need to be totally reworked to adjust to the realities of the cloud.<\/p>\n
Someone from the audience asked whether cloud vendors really wanted to deal with high value data.\u00a0 In other words, was there a business case for cloud computing once valuable resources were involved?\u00a0 And did cloud providers want to\u00a0address this relatively constrained part of the potential market?<\/p>\n
The discussion made it crystal clear that questions of security, privacy and compliance in the cloud are going to require really\u00a0deep thinking if we want to build trustworthy services.<\/p>\n
The session\u00a0also\u00a0convinced me that those of us who care about\u00a0trustworthy infrastructure are\u00a0in for some rough weather.\u00a0 One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don't need encryption”.<\/p>\n
I have to say I almost choked.\u00a0\u00a0When you\u00a0build gigantic, hypercentralized, data repositories of valuable private data – honeypots on a scale never before known – you had better take advantage of all the\u00a0relevant technologies allowing you to build concentric\u00a0perimeters of protection.\u00a0\u00a0Come on, people – it isn't just a matter of\u00a0replicating in the cloud\u00a0the things\u00a0we do in enterprises that by their very nature benefit from firewalled separation from other enterprises, departmental isolation and separation of duty inside the enterprise, and physical partitioning.\u00a0\u00a0<\/p>\n
I hope\u00a0people look\u00a0in great detail\u00a0at\u00a0what cloud vendors are\u00a0doing to innovate\u00a0with respect to\u00a0the security and privacy measures required\u00a0to safely offer\u00a0hypercentralized, co-mingled\u00a0sensitive and valuable data.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
I have to say that I almost choked…<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[63,21,13,68,69],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1036"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1036"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1036\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}