As with many who have postulated, provoked, proselytized and/or put down cloud services, I offer a few thoughts on the evolution that will come through in 2011.
Security remains the top inhibitor – but increasingly other concerns will rise as the security models are developed and risks are mitigated in more standard ways. Standards work with organizations like the CSA and the European Network and Information Security Agency (ENISA) as well as cloud service management tools (see HP’s Cloud Service Automation) to model, orchestrate and automate cloud setup, deployment and refactoring will become the focus.
Security risks become clearer while breaches escalate - This is the “shooting fish in a barrel” prediction. While a significant amount of security concerns around cloud computing are “gut reactions”, there will be a lot more clarity around what the risks really are. Our research with the Cloud Security Alliance (CSA) “Top Threats to Cloud Computing”, included examples of specific cloud based security risks. In discussing examples of “Abuse and Nefarious Use of Cloud Computing”, we discussed how “IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, and downloads for Microsoft Office and Adobe PDF exploits. Additionally, botnets have used IaaS servers for command and control functions.” In terms of shared technology risks, concerns about the vendor handing data over to authorities is one, but as more commerce, and crime, moves to the same infrastructure, situations will arise where authorities go after a cloud providers infrastructure will create some ongoing negative experiences. Consider the December 2010 report from ComputerWorld, where the FBI raided an ISP in Texas, USA in an effort to identify the hackers who recently launched denial of service attacks against web sites including Visa.com, PayPal.com and others, and took hardware from them that impacted the overall service. Similar to a 2009 raid, discussed on Wired.com, a co-location facility of Croydon Technology was raided on March 12, 2009, and the FBI seized about 220 servers belonging to the company and their customers, as well as routers, switches, cabinets for storing servers and more. These sorts of physical based actions are less likely against a business like Google, who distribute data across hundreds and thousands of storage devices throughout their huge data centers. However, as technology related cases increase, the raids, or requests, will focus on the data itself rather than down to the hardware forensics. At cloud scale, password cracking and similar brute force attacks become economical and effective – As I wrote this, an article from Dark Reading appeared “Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC” At the 2011 Washington, DC Black Hat conference, Thomas Roth, a researcher and consultant for Lanworks AG will release his Cloud Cracking Suite (CCS) tool. He says he was able to successfully crack 400,000 passwords per second using eight Amazon Nvidia GPU instances, and 45,000 to 50,000 passwords per second with just one GPU instance, he says.
Many of these risks align with traditional IT and computing concerns, however, what has changed in terms of cloud security is that the attacks are more virulent, aggressive, insidious, massive, explosive, focused, increasingly fiscally motivated, personal, global and localized. There are many more things that cloud services will create in terms of security risks, but this is a 2011 prediction that I believe will continue year over year. I recommend that enterprises spend the time to work with both vendors, and organizations like the CSA and ENISA to assist developing and standardizing security practices for cloud services.
Hybrid Clouds becomes the expected norm – but the reality is that customers will continue to approach cloud from multiple entry points, with a managed hybrid model as their vision. The initial use of cloud may be private cloud, specific SaaS solutions or compute or storage IaaS solutions. The issue that most customers need to consider, as with the introduction of all new IT capabilities is how to we do this fast, without creating a new morass of management issues for IT to clean up down the line?
Data privacy breaches and concerns increase worldwide driving legislative changes – The concern over privacy has been a more than a whisper for years, but as the data is increasingly collated, and sadly, exposed through security breaches or failures, concern will drive more action by both authorities and governments. I would wholly recommend that governments align in a G20 type environment to try and collate a common approach to dealing with the needs and concerns of constituents, customers and corporations. Unfortunately, 2011 will not see much movement in this way without support from the industry and the populace. New related legislation will appear worldwide, and that is the predication for 2011. While not always required… Some legislation will be good, much will be bad.
Patently Obstructive Practices - More patent related suits will be filed impacting the speed at which cloud services are accepted and developed. I’ll say no more than that the patent system, especially in the USA is broken and will cause ongoing issues for many!
Community clouds multiply – Many early cloud service providers focus on generic compute and storage capabilities with basic API’s and minimal certifications such as SAS 70. It is true today that cloud service providers are increasingly looking at ensuring their environments support various standards or have specific certifications, such as FISMA, PCI and HIPAA from the US perspective, or ISO27k certification from a more worldwide viewpoint. The market is now also looking for cloud services to focus on specific industry or functional needs to increase. Examples today include the U.S. Department of Defense (DoD) Defense Information Systems Agency (DISA) cloud computing infrastructure, available to all DoD users to provision compute resources across the entire DoD services, agencies and combatant commands. Another example is the HP Agilaire Passenger Service Solution - Agilaire is designed to enable airlines to offer their passengers a differentiated travel experience while simultaneously improving the airlines business performance.
For more 2011 cloud predictions from HP experts read the Grounded in the Cloud post here. [http://h30501.www3.hp.com/t5/Grounded-in-the-Cloud