Overcast weather
by Deborah Volk on June 2nd, 2009

Toto, we aren't in Kansas anymore. I believe we have landed in Seattle where cloud cover is the norm.

At JavaOne they have a whole set of sessions dedicated to the Cloud. Soon, the Cloud (with a capital C, mind you) will be as pervasive as the web. (Wait, isn't it the same thing?!). I was fortunate enough to attend the standing-room only panel on Secure Cloud Computing this afternoon. The panel consisted of Michelle Dennedy from Sun, Joshua Davis from Qualcomm, Jim Reavis from Cloud Security Alliance, Tim Mathers (old timey (experience, not age) InfoSec guy), and David Hahn from Wells Fargo. The fact that it was standing room only (though the room was fairly small), says something about this cloud stuff, and the importance of security in it.
For those of us on the frontlines, this doesn't come as a surprise. The Cloud is just another permeable boundary across which credentials are shared and data is exchanged. What makes the cloud unique is the ownership of the process, data, credentials, and associated risk. The big points made by the panel were that in order to make Cloud Computing viable, vendors will need to be transparent insofar as their security practices are concerned.

Validation of these practices needs to be exercised, and not necessarily by a third party vendor. Customers should do their own due diligence. Without these two items, compliance at the corporate level may not be achieved, and the liability the corporation assumes might be too great a barrier for entry.
We heard the panel views about what belongs in the cloud (basically everything, including carrots and celery), who should use the cloud (everyone), what standards were good starting points for securing the cloud, and what vendors need to do to step up to the plate. Is this all really just lipstick on a pig though? It feels like a terrible case of deja vu. Haven't we been through all of these issues in some form or another? When we outsource our development to a third party vendor with an offshore presence, we have to worry about how they authenticate and authorize their developers (for that third party might also work for your competitor), you have to worry about import/export of your data and applications, you have to worry about privacy of your consumer data, and the list goes on.

If we are finding shortcomings in the security practices surrounding the Cloud, then we most likely already have holes of the same size or bigger in our current processes, Cloud notwithstanding. By addressing internal, Earth-y problems first, the inevitable slide towards the ever-economical, self-adapting, completely autonomous and very smart mass of Floating Water will become less painful for organizations.

Posted in not categorized    Tagged with cloud computing, JavaOne


Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)