Charlie Bess, HP Fellow writing in HP's "The
Next Big Thing" blog, picked up my the recent white paper"Security and Cloud Services - Securing a business advantage" and posted some thoughts as "Security,
cloud and concerns about our data".
Good discussion points here where Charlie notes concerns around the potential that both benefits and challenges are "viewed with today's limited resource perspective". More specifically he notes that there are "significantly broader possibilities with a related increase in value
No doubt about that.
Planning for the viability of unlimited resources (bandwidth, storage,
compute capacity, functional services etc) was not the purpose of the
paper however. Firstly, it is important to note that the paper is focused on how to deal with the benefits and risks of cloud services and cloud computing options today. The majority of customers and partners that I talk to are working to make the best use of what is available today, as well as understand how they can. More specifically, they want to know if the risk is real in what circumstances, and how can they manage the security aspects of cloud type solutions - public or private.
I would point out that like many previous technology adoptions, cloud computing is evolving. A clear difference in this instance is the speed with which that evolution is taking place, and the immense scope of changes that are possible in terms of business opportunities and business models. Risks associated with cloud solutions that span the globe can be pointed to with great concern, but perhaps just as importantly is the business risks of ignoring the opportunities.
Salesforce.com have shaken up the Sales Force Automation (SFA) for years by changing the business model for delivery. In the February 22nd, 2010 Data Center Knowledge article "How
Much Are Cloud Providers Making?", Linda Leung notes that:
In February 2009, chairman and CEO Marc Benioff boasted that Salesforce.com (CRM)
was the “first billion-dollar cloud computing company,” when the
company announced 2009 year-end revenue of $1.077 billion, a 44 percent
increase from 2008.
This during one of the most down market economies ever experienced. Leung also offers specifics and estimates for various other providers such as Amazon Web Services, Savvis, Rackspace, NetSuite and more.
For an example of a new business model, like it or not, Facebook is a huge business (one EOY estimate has Facebook approaching US$1B in 2009 revenue). Others are riding atop riding atop the Facebook platform and software services. Business Week in their Apr 22, 2010 article "Zynga and Facebook.
It's Complicated" estimated US$450M+ 2010 revenue for the social gaming company Zynga, which would not exist as it is today without Facebook, as well as the infrastructure to support their solutions.
the security vein however, Facebook are facing huge backlash as a result of
continuously changing tier privacy policies. As a result they have been hit
with a large amount of negative press and publicity ranging from from nation
states to privacy advocacy groups who are both considering legal challenges.
There are so many articles over the last couple years dedicated to this issue,
but for reference, here are some recent ones:
This is just one small part of the security issues that are faced by customers and providers where speed and change are almost synonymous.
Over the last few months I've been working on a Point of VIew around secure cloud computing with Mary Ann Mezzapelle, chief technologist for Security Services for HP in the Office of the CTO, and my colleague from HP Enterprise Services. That effort has resulted in the following white paper:
Simply, the usage of cloud services is seeing explosive growth, offering compelling, scalable, and elastic solutions in addition to benefits such as on demand, pay-per-use, and even resilience over existing Internet protocols. Because of this, vendors of all types are marketing a broad spectrum of products and solutions as “cloud services,” even relabeling their existing products with cloud terms. As a result, many organizations, and often individual business units, are jumping headlong into cloud computing, or—at the other extreme—trying to avoid it however possible. Because there is so much hype and confusion around the word and the concept, HP approaches cloud services as an opportunity to re-examine both business and IT strategies, with a focus more on desired outcomes and specific deliverables—for example, new compute capacities that adjust with business needs and offer countless ways to deliver.
The concept of cloud services aligns closely with the HP strategy and vision for our partners and clients of "Everything as a Service" (EaaS).
Many definitions exist for cloud, and most align with HP's, as well as extend the previous memes of Web 2.0 and distributed computing. In a nutshell, it is a means by which highly scalable, technology enabled services can be easily consumed over the Internet on an as-needed basis.
However, this definition, like most others, doesn't accommodate any requirement for proper or even minimal security, assuming perhaps that security is inherent. This is far from the reality. Although many cloud service providers incorporate security into their approaches, they rarely align their security solutions with traditional enterprise client security approaches for reasons of scale, flexibility, and cost.
Fundamentally, many clients and providers of cloud services achieve these obvious benefits at the expense of security - this may be a strategic choice taken with adequate risk analysis and consideration, but that is the rarer case.
HP believes that secure cloud computing will allow you to more rapidly evolve business strategy. By refining your security requirements, there is the opportunity to identify cloud services to enable business outcomes while maintaining your security posture.
This white paper details the approach and taxonomy that we think about when trying to consider cloud services and appropriate security to ensure you can gain a business advantage.
For more information you can check out HP's new "Secure the Cloud" site, which incorporates a FAQ, many links to related information, and other downloads.
The benefits of cloud computing are clear, but many businesses are still wary of the security implications. How can you be assured that your data is as safe in the cloud as it is in your own data center? What are the security pros and cons of public vs. private cloud? Are there security assurance certifications that you should ask of your service provider?
We've just finalized a set of informative write-ups, white papers, blog entries and tips for dealing with cloud security - public and private - HERE
To frame the requirements, we compiled an FAQ to help better understand cloud security. More than that, this site serves as a topical resource page, one you’ll want to bookmark as we plan to update it regularly. We’ve listed a myriad of links to white papers, blog posts, associations and other Web articles under each answer so you can research more information.
Last month I spent some time in a roundtable moderated by Dana Gardner of BriefingsDirect with a fellow HP'er Christian Verstraete, Chief Technology Officer for Manufacturing and Distributions Industries Worldwide at HP.
"There are also regulations and compliance issues that can vary from location to location, country to country and industry by industry. Yet cloud advocates point to the benefits of systemic security as an outcome of cloud architectures and methods. Distributed events and strategies based on cloud computing security solutions should therefore be a priority and prompt even more enterprise data to be stored, shared, and analyzed by a cloud by using strong governance and policy-driven controls.
So, where’s the reality amid the mixed perceptions and vision around cloud-based data? More importantly, what should those evaluating cloud services know about data and security solutions that will help to make their applications and data less vulnerable in general?"
This white paper is intended to help companies make prudent risk management decisions regarding adoption of cloud services. The paper can be downloaded here.
This is pretty good stuff, and we plan to update it every 6 months or so as and when threats change. I discussed this release with Jim Reavis, Executive Director of the CSA, which we've called "The 7 Deadly Sins of Cloud Computing." You can see our conversation on video here: http://h30431.www3.hp.com/?fr_story=6ae3d81a58fe90b09753fdeeac5a7c2f41747820&rf=bm