Cloud Security Alliance Congress 2010 Summary – Part 1 of 4 parts
The Cloud Security Alliance kicked off its first major event November 16-17, 2010 in Orlando, Florida. The CSA Congress 2010 successfully hosted 370 people with talks covering all aspects of cloud security over two days.
For those who were not in attendance at congress, this four-part series will summarize some of the most popular sessions at the event.
Keynote Address: Creating a Safer, More Trusted Internet
Scott Charney, the Corporate Vice President of Trustworthy Computing at Microsoft, kicked off the congress with his keynote. He has been taking a look at the complex problem of Cloud Computing security and attempting to decompose it into its base parts.
He related information security to fighting a war though, unlike a physical battle where you can isolate your battlefield and generally determine who is attacking and why, with the Internet things aren’t so clear. “The Internet is such that you can’t tease it apart. You can’t separate the battlefield,” he said. “We have major challenges with attribution and an incredible amount of ‘noise’.” He further asserted that moving to an authentication system for the Internet (similar to the ID systems that some countries have rolled out for Internet access) would help cut down the noise, though not entirely eliminate the threat.
Charney broke the threat down into cyber crime, economic espionage, military espionage and cyber warfare. The challenges are wide ranging from shared accountability, co-tenancy, to identity and privacy, and jurisdiction. He also talked at length about availability, the future ubiquity of sensors and devices, the problem of unlimited storage and search-ability, personas and the evolving business models that will be enabled by cloud computing.
Scott left us with a lot of questions, but not a lot of answers. It’s clear that the complexities involved with Cloud computing will take years — if not decades — to get a firm grasp.
WINnovation: Disruptive Innovation and Cloud computing Security
Up next, the dynamic duo (Chris Hoff and Rich Mogull) talked about disruptive innovation in relation to cloud computing. Having seen a variation of this before at RSA, it was interesting to see how the talk has evolved over time. Back in 2007, this talk looked at the trends from outsourcing, SaaS to virtualization and so on. Looking back on this, Hoff and Mogull realize that all of this innovation was leading up to what we now call Cloud Computing. Given that that was just three short years ago and it was then hard to predict the level of disruption we have today, they made the point that it’s very hard to see where things are going.
Yet they were careful to comment that cloud computing isn’t radically new. They quoted from a recent tweet that, “Paradigm shifts are for those that can’t spot trends.” People tend to treat disruptive innovation as something that happens to them (like a medical problem). But Hoff made the point that innovation tends to be cyclical and somewhat predictable. Most importantly, you need to manage disruptive innovation, not fight it.
Really this comes down to survivability and information centricity. According to Mogull, data today resides in two silos: the data center/enterprise applications (where the data lives) and productivity applications (where data is created and often temporarily stored). He said that the focus is mostly on protection of the former while the latter is becoming the bigger risk. Counter-intuitively, data is increasingly becoming more dispersed as it centralizes.
The prescription for this particular problem, according to Hoff and Mogull, is that information must be self- describing and defending while our systems have to become increasingly survivable. Policies and controls must account for business context; information must be protected as it moves between silos. This means the return (or “revenge” as they termed it) of VPNs and PKI and an increasing importance of IAM, DLP, DAM, Tokenization, and new information centric technologies.
Hoff stated that software needs to become increasingly survivable. We need to understand replication, secure storage and transit, and leverage elastic models of cloud computing and security. We are in an age where we are moving from reliable hardware and unreliable software to reliable software on unreliable hardware (cloud instances, mobile devices) and the security must follow suit. Architects and developers need to design as if their application components were plugged in anywhere.
In the next post (part 2 of 4 parts) we will be looking at Chris Hoff and Rich Mogull’s solo sessions that dive deeper into the concepts explored in the WINnovation talk.
For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please go to this website:
(shortened URL): http://bit.ly/dEmlhv