So... a bit of PR to start this post.
Yesterday, HP introduced a security services portfolio and new solutions that offer increased vulnerability assessment, enhanced data protection and improved compliance controls, enabling customers to reduce infrastructure risks. This integrated approach empowers organizations to more effectively manage risk, protect critical infrastructure, safeguard the continuity of operations and maintain regulatory compliance. Thus, HP is making it easier to purchase, implement and integrate security across the enterprise, from data center to desktop, as well as the cloud.
This offering is all under the umbrella of HP's Secure Advantage ...
HP Secure Advantage offerings are designed to protect resources, data and provide secure validation by allowing companies to customize services to better align with their security requirements. New offerings and enhancements include:
- HP Security, Compliance and Continuity Services help customers design, implement and maintain their security management functions by offering a range of services that can be adapted as needs evolve.
- HP Cloud Computing Security Assessment joins the existing HP Cloud Discovery Workshop and HP Cloud Assure Services to help secure cloud computing environments.
- HP Application Security Center of Excellence (CoE) Services increase web security by preventing malicious attacks with workshops and assessment services designed to help businesses create an efficient application security program.
- HP Access Control Secure Printing Suite safeguards data by defending printers from threats and protects valuable information.
- HP Client Automation lowers security costs by creating a common management framework that integrates compliance, assessment, remediation as well as third party solutions in a single tool.
- HP Business Services Automation (BSA) Essentials Network delivers the latest regulatory compliance standards via an online portal to ensure a high level of confidence.
- HP Enterprise Secure Key Manager (ESKM) reduces risk by maintaining regulatory compliance with set key management polices and controls that provide consistent, unified management of keys across the data center.
View the full press release at:
For more information on HP Secure Advantage and the new HP Security, Compliance and Continuity Services portfolio:
I've just finished presenting a webcast on "Cloud Computing: Practical Governance and Security" through BrightTalk.
You can go to the site here:
You can watch the talk directly here:
I am presenting a webcast through BrightTalk on December 15 titled "Cloud Computing: Practical Governance and Security"
The abstract of the talk is:
The rise of cloud computing, with services delivered "in the cloud", offers businesses incredible power and flexibility, but not without a whole new set of governance and security challenges. How do you manage this situation and still gain the advantages offered by cloud computing? HP Chief Technologist for Cloud Security, Archie Reed, will share practical tips for securing and governing these emerging environments.
My intent is to review a number of real world scenarios and solution approaches that have worked do far. You can register and attend here: http://www.brighttalk.com/webcasts/7853/attend. I'll post an embedded player when it becomes available, you will see the info below.
I welcome any questions ahead of time through the comment area below.
Cloud Security - New ISACA Whitepaper on "Business Benefits with Security, Governance and Assurance Perspectives"
ISACA put out a paper on 29th Oct, 2009, titled "Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives"
While somewhat short, this paper is a must read for senior IT and business folks, as it shows that cloud computing still fundamentally requires work in terms of new and updated strategies to mitigate risks and manage governance and regualory requirements in order to truly suceed in broad enterprise computing solutions. Not barring the success of vendors such as Salesforce.com who maintain a huge amount of their own customers CRM data with a very minimal real guarantee of security or even service levels, the broad issue of security in the cloud remains the touchstone for many enteprise conversations.
Cloud Computing holds the promise of offering services on demand that are global, rapidly elastic, cost controlled and with minimal management. However, when you actually try to address the security issues (concerns), such as data loss protection, identity management and those compelling facets of cloud computing start to erode, as security does introduce a level of cost and complexity that most cloud providers are nto fully embracing. Once additonal requriements such as forensics with full audit trails appear, this simple slice of cloud will become a real storm (tropical, .violent, galeforce, unmentionable, or something else, will depend on the stituation).
This is why the efforts of the CSA and others are crticial to get a level of standardized approaches, if not standards themselves, to help organizations adequately deal with this reality. While this is a short paper, it does precede a valuable update and expansion of the original CSA "Security Guidance for Critical Areas of Focus in Cloud Computing".
Leaving aside the grammatical issues with the articles title, and IBM for that matter, let's consider what Mark had to say and what HP thinks are the real issues and real solutions for cloud computing.
Firstly, what about HP's own potential use of cloud computing as quoted by CNET -
"The cloud is real for many consumer services," he said. So why isn't it suitable for HP's core financial records stored in the general ledger? "Security, for one thing. We get about 1,000 hacks a day. They're more sophisticated every month," Hurd said. "Security and reliability is a huge thing. It's unlikely we'd put anything outside the firewall that's material in nature that we couldn't 100 percent secure."
Those in the audience gave me the following insights.
- Mark was asked about disruptive technologies and brought cloud computing up as the first example.
- Customers that he talks with find the term "cloud computing" too vague... There is a critical need to break it down into clear services and simplify service offerings
- "Behind the firewall clouds can do great things"
- In front of the firewall, "HP is experiencing 1000 hacks/day"
- Mark is NOT in favor of email or financials in the cloud (C/NET article quotes this verbatim)
- There is a need for 100% secure clouds
- HP will play in 100 percent secure clouds".
- Security and Reliability are key...
- Critically, Mark talked a lot about security. In fact, he spoke more about security in this cloud context than ever before.
In the broad Security remains the #1 concern or barrier to using cloud computing (definitions aside). IDC recently released their "Cloud Computing 2010 . An IDC Update" report which showed that year over year security not only remains the #1 concern, but in fact grew from 74.6% in 2008 to 87.5% in 2009. What is interesting here is that while security remains the #1 concern for cloud computing, it still does not feature in ANY of the common cloud definitions...
Regardless, HP offers its own views on how to manage the enterprise approach to cloud computing which heavily emphasises security and risk management in general as key components to its strategic use. In fact, this week we published a very high level article on how "Faith-based IT doesn't work in the cloud".
Firstly, when you utilize the cloud, it's critical that you know where your data is, how it's protected, and who can access it. Unfortunately, many cloud service providers don't share these details. Even worse, many make no promises about protecting your data. Here are the key points to consider for a secure approach to cloud computing:
Classify: When considering a cloud service, first classify your data to determine its suitability for the cloud. Doing a cost benefit analysis is an important part of this process. Are the savings of putting data in the cloud worth the risks of breaches in security or privacy regulations?
Assess: Find a service provider that does security assessments to determine whether your application or data is ready for the cloud. The best service providers will determine which compliance regulations you're subject to and help you meet them.
Start with non-sensitive data: Don't begin your foray into the cloud with applications that expose your customers' credit card numbers and bank account information. Start with the less risky applications until you can securely manage the model and your provider's services.
Critically evaluate service provider agreements: Find out exactly how your service provider plans to secure your data and keep it private in the cloud. If your data is critical to the business, demand satisfactory assurances from your provider. These include appropriate terms of service (TOS), acceptable use policies (AUP) and service level agreements (SLAs).
Encryption: Don't leave encryption to your cloud service provider. Make sure you have key lifecycle management in place. Also, using your data classification effort as guidance, encrypt your data as appropriate and necessary.
Insist on transparency: Demand the ability to know what's happening in the physical infrastructure that underlies the virtual infrastructure.
This is a very short article on the issues and how to approach cloud computing in a simpler and more secure manner. Look for much more from us on the HP Secure Advantage for secure cloud solutions alongside our overall HP Cloud Computing Solutions strategy breakdown including: HP's Cloud Assure service enables security and performance in the cloud and HP's Cloud Consulting Services