Whether it is the old nuclear foes, the United States and Soviet Union, trying to get along, a soon-to-be-married couple pondering the realities of life together, or an organisation adopting IT services from the cloud, one of the most difficult collaboration hurdles to overcome is how to give up control and shift to trust. US President Ronald Reagan summed up how best to overcome those collaboration roadblocks in his often-quoted phrase: “Trust, but verify”.
This approach builds trust over time through regular and mutual verification. There is no bigger trust inhibitor than obfuscation. Wondering whether a country is in fact reducing its nuclear weapons or where a spouse is actually spending money is not a path to long-term friendly relations.
Ask any IT security person what most concerns them most about the cloud, and the core issue almost always boils down to lack of control; an organisation is giving up control when it moves workloads or data in to the cloud, coupled with lack of visibility or verifiability. The irony is that cloud providers might, in many situations, have better security systems and processes than their average enterprise customer. But given the customer has no direct control and limited ability to verify security systems and practices in the cloud, they must assume the worst.
This is the core security challenge that the industry must address. Another substantial concern for the average IT security person is the current reality of being completely bypassed in the decisions around use of the cloud. A recent survey of cloud consuming organisations revealed that exactly half of respondents were not confident that their organisations even knew about all of the cloud computing resources currently in use by their enterprise.
Businesses are often directly contracting for service with cloud providers and do not incorporate the IT organisation at all. So, in addition to lack of control and verifiability, we must add lack of situational awareness to the list of concerns for IT security.
In a follow-up survey of cloud providers, scheduled to be released in September 2010, 75% of US respondents and 62% of Europeanbased respondents said that cloud users were most responsible for ensuring the security of cloud resources. Given that the two other choices for most responsible were “shared responsibility” and “cloud provider”, how “cloud user” could dominate the most responsible selection is a concern.
What could be more of a shared security responsibility than the cloud, where enterprise applications and data are split, and often flowing back and forth, between cloud users and cloud providers? Even though the cloud security story sounds rather grim right now, there is reason for optimism.
Those in the Web security world know how to attain sufficient control and visibility across the Internet. We have been dealing with this challenge and inventing standardised approaches for years to efficiently manage cross-domain security, and what is cloud security anyway, but a massive crossdomain security issue? New technologies do not need to be invented; existing technologies and approaches need to be used by all participants cloud world, both providers and consumers alike.
As more sensitive applications and data try to move in to the cloud, and are held up due to a lack of sufficient control and visibility, and as cloud providers themselves become more mature and specialised, providers will invest more in opening up their internal security systems to greater direct control and visibility by their customers. For enterprises and cloud providers to attain an acceptable balance of security-related control and visibility, a security system and process level interoperability must be established. The only way to do this on a scale that keeps the cloud economically efficient for both sides is via the use of security standards.
The issue of cross-domain security standards could be an article on its own but, in brief, such standards have already been invented, for example, SAML, XACML, SPML, WS-Security, and WS-Trust. What is needed is the deployment of these standards and the distributed security architecture that they enable at a level pervasive enough to scale security control and visibility to the level of the cloud. There are early signs of this happening in the cloud market; just look at the level of adoption of SAML by cloud providers.
If the U.S. and the Soviet Union, and most married couples, can attain relatively high levels of collaboration from trust built on control and visibility, so can the emerging cloud industry.