Cloud Security Alliance Congress 2010 Summary – Part 3 of 4
The Cloud Security Alliance kicked off its first major event November 16-17, 2010 in Orlando, Florida. The CSA Congress 2010 successfully hosted 370 people with talks covering all aspects of cloud security over two days.
For those who were not in attendance at Congress, this four-part series will summarize some of the most popular sessions at the event.
This is part three in a 4-part series of posts summarizing popular sessions at the Cloud Security Alliance Congress 2010 event held in November 2010 in Orlando, Florida.
Keynote Address: The Cloud Computing Forecast From a Former Regulator
Pamela Jones Harbour kicked off the second day with a regulator’s perspective. She spent seven years as a regulator with the Federal Trade Commission (FTC) where, among other duties, she looked closely at privacy and data security. Pamela states that people are unsettled by ‘the cloud’ due to the fact that it is not obvious and transparent. “90% of the consumers of the cloud expressed concern”, she said quoting an information week article. “There is significant amount of work to do to build consumer confidence and trust takes time and effort to build”, she states.
She also talks about the increasing adoption of cloud computing in the public sector and the savings that have already been realized. For example recovery.gov predicts a $750,000 savings over two years and the Fair Labour Relations Authority sees over $600,000 in the next five years.
Harbour spoke about online advertising studies in relation to any company that collects and processes data (as in public cloud models). For every potential efficiency there exists a potential harm. Harbour likens the challenges faced with cloud computing to storm clouds on the horizon. Among the storm clouds are data privacy, data security, competition and challenges with national law. She asserts that people don’t understand how data is being used and lack the information to make meaningful choices regarding terms of service (something the FTC has looked closely at).
Though the news is not dire, Harbour already sees companies starting to compete on privacy and data security as differentiators. She believes that industry and government need to work together to build a safe and secure cloud that earns trust.
Standards Acceleration to Jumpstart Adoption of Cloud Computing
Lee Badger with NIST discussed standards with regards to cloud computing. NIST will deploy and populate a portal with use cases, specifications and pointers to reference implementations. Currently there are self-generated use cases, however in the future they will come from both private and public sources. NIST is focusing on future-oriented use cases in an attempt to look for standards gaps. Their use cases describe how groups of users and their resources may interact with one or more cloud computing systems to achieve specific goals. One example is the exchange of funds between parents and the bank, then the bank and the college when saving and paying for school.
NIST sees this as an effort that will help determine what standards need to be extended or perhaps where new standards are needed for cloud computing.
You can see more on this work from NIST at www.nist.gov/itl/cloud.
Enforcing the Four A’s on Cloud Resources
The next session was presented by Lincoln Cannon from Merit Medical Systems. As a former Symantec employee Cannon has experience in security. Merit Medical is a manufacturer and seller of medical devices and has a significant remote sales team that needed a more reliable way of sharing production information and training. They looked to cloud applications to fulfil a mobile workforce. The talk was about the experiences he and his team had moving to cloud computing.
They started out with email and VPN supporting the mobile workforce. This produced an issue with unmanaged copies of the information that became stale, and issues with speed. They turned to a mixture of cloud services such as LinkedIn, Facebook, Blogger, AWS, Twitter, YouTube and Scribd for the public data. For private data they turned to an e-learning system called eLeaP and Google Docs/Video. They embedded docs in the training, creating a single source of editing and displaying with no replication of data.
While this made it easier for the workforce to access the data they ran into issues with having a diversity of services. They had a lot of users of the private information in Google Docs/Video and eLeaP. Merit Medical Systems had authentication issues where each user had a different account for the different services. They had an authorization issue where revoking rights across multiple cloud systems created a challenge. Administration and auditing was also a challenge.
They decided to tie everything together with a security system to improve the 4 A’s. They found a company called Simplified that acts as a broker to multiple cloud services. This tied to their existing Active Directory to provide a single source of authentication and authorization. Google Apps has the ability to re-direct the authentication and authorization, fully disabling the built-in authentication. They had to work with eLeaP to provide a similar ability.
This was an interesting study where the majority of the data is public or lightly protected. Merit leaves financial and HR data to traditional systems out of SOX concerns, though Cannon feels that this type of infrastructure may be mature enough to look at in the future.
In the next and final post we will look at the top threats to cloud computing and the future of the CSA.
For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please go to this website: http://bit.ly/dEmlhv