A couple months ago I was engaged in a podcast hosted by Dana Gardner with BriefingsDirect. Alongside Tim Van Ash and David Spinks, also from HP, we discussed cloud security challenges for successful enterprise adoption.

The podcast is up, and you can listen here, or you can view the full transcript or download the transcript if you prefer to read through.

When discussing the state of the cloud solutions today, Tim noted:

"Typically, what we see is that organizations often have concerns. They go through the fear, uncertainty, and doubt. They’ll often put data out there in the cloud in a small department or team. The comfort level grows, and they start to put more information out there."

"Obviously, the current economic environment is putting a lot of pressure on budgets, and people are looking at ways in which they can continue to move their projects forward on investments that are substantially reduced from what they were previously doing."

"But, the other reason that people are looking at cloud computing is just agility, and both these aspects – cost and agility — are being driven by the business. These two factors coming from the business are forcing IT to rethink how they look at security and how they approach security when it comes to cloud, because you’re now in a position where many of your intellectual property and your physical data and information assets are no longer within your direct control."

David noted:

"Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs) in terms of specifying how long things take have to change. Companies have to understand that they’re buying a very standard service with standard terms and conditions."

"As you move out into an outsourcing model, where we’re managing their technology for them, there are some changes required in the policies and procedures. When you get to a cloud services model, some of those policies, procedures, and controls need to change quite radically."

"Areas such as audit compliance, security assurance, forensic investigations, the whole concept of service-level agreements (SLAs) in terms of specifying how long things take have to change. Companies have to understand that they’re buying a very standard service with standard terms and conditions."

There is so much more discussed however. Rather than repeat it myself, check out Dana's Summary here:

You can get a complimentary copy of "Cloud Computing For Dummies" courtesy of Hewlett-Packard at www.hp.com/go/cloudpodcastoffer. Its basic, but good to set the stage for management.

You can listen to the podcast. Find it on iTunes/iPod and Podcast.com.

View a full transcript or download the transcript.

Learn more. Sponsor: Hewlett-Packard.

The cloud is a means by which global class, highly scalable and flexible services can be delivered and consumed over the internet through an as-needed, pay-per-use business model.

This is one of HP's core definitions for cloud computing. For more approaches and definitions you can look at the Jericho Forum Cloud Cube model, the Cloud Security Alliance best practices guidelines and NIST recently offered a view of cloud as part of their investigation into cloud computing. More are out there, but these provide a good baseline.

The cloud offers great benefits for any type of business looking to manage costs and effort in their IT services. However, business expectations of cloud solutions are also very complex. My colleague Fred Cummins has posted an excellent post on the "Business Expectations for Cloud Computing". Having been asked to lead some of HP's Cloud Security efforts, I wanted to expand on some of these thoughts in relation to security, as well as review some of the related market shifts we are dealing with. 

In this thread I primarily take the enterprise or business focus, but by no means does that restrict the conversation to those entities. It is critical to consider the requirements and impact of cloud security on the actual individual consumer of cloud services, as well as the actual cloud OR service providers themselves.

I started at a high level, and I consider the security of cloud services requires. Each of these is a trigger term with a short description of the risk area I am referring to. I'll describe each in detail in upcoming posts:

1. Here Today, Gone Tomorrow - viability, disaster, and stupidity are just some of the reasons your provider may not be there.


2. Trust but Verify - Cloud providers my offer better security, but your business needs ongoing GRC.


3. Ride the Wave or Get Dumped - barring capital punishment, business groups will take the easiest tool to get the job done.


4. Isolation is Bliss, until it's not - so many walls are needed to protect you business data and processes and data loss prevention is just one start. In parallel, being isolated is a issue if it means you cannot get your data out of the vendor.


5. Who, What, Where, How? - Identity Management does not go away in the cloud; in fact it becomes more important.


6. You can Delegate, but you can't Abdicate Responsibility.

These are not new issues, they just require some thought and analysis to define what it means when talking about cloud services. Many other folks have lists of 7, 10, even 11... For example, as part of this effort I also took a look at the various analyst and journalistic efforts. Gartner "Seven cloud-computing security risks".  In summary the risks are:

1. Privileged user access


2. Regulatory compliance.


3. Data location.


4. Data segregation


5. Recovery


6. Investigative support


7. Long-tem viability

I am trying to provide some broad buckets to make sure we can discuss what security risks are important to each participant (consumer, business customers, service providers etc).

What's really needed to help organizations better understand their cloud security requirements?

Awareness is the start.

My list is still a work in progress, so lets work it together...

The cloud is a means by which global class, highly scalable and flexible services can be delivered and consumed over the internet through an as-needed, pay-per-use business model.

This is one of HP's core definitions for cloud computing. For more approaches and definitions you can look at the Jericho Forum Cloud Cube model, the Cloud Security Alliance best practices guidelines and NIST recently offered a view of cloud as part of their investigation into cloud computing. More are out there, but these provide a good baseline.

The cloud offers great benefits for any type of business looking to manage costs and effort in their IT services. However, business expectations of cloud solutions are also very complex. My colleague Fred Cummins has posted an excellent post on the "Business Expectations for Cloud Computing". Having been asked to lead some of HP's Cloud Security efforts, I wanted to expand on some of these thoughts in relation to security, as well as review some of the related market shifts we are dealing with. 

In this thread I primarily take the enterprise or business focus, but by no means does that restrict the conversation to those entities. It is critical to consider the requirements and impact of cloud security on the actual individual consumer of cloud services, as well as the actual cloud OR service providers themselves.

I started at a high level, and I consider the security of cloud services requires. Each of these is a trigger term with a short description of the risk area I am referring to. I'll describe each in detail in upcoming posts:

• 1. Here Today, Gone Tomorrow - viability, disaster, and stupidity are just some of the reasons your provider may not be there.


• 2. Trust but Verify - Cloud providers my offer better security, but your business needs ongoing GRC.


• 3. Ride the Wave or Get Dumped - barring capital punishment, business groups will take the easiest tool to get the job done.


• 4. Isolation is Bliss, until it's not - so many walls are needed to protect you business data and processes and data loss prevention is just one start. In parallel, being isolated is a issue if it means you cannot get your data out of the vendor.


• 5. Who, What, Where, How? - Identity Management does not go away in the cloud; in fact it becomes more important.


• 6. You can Delegate, but you can't Abdicate Responsibility.

These are not new issues; they just require some thought and analysis to define what it means when talking about cloud services. Many other folks have lists of 7, 10, even 11... For example, as part of this effort I also took a look at the various analyst and journalistic efforts. Gartner "Seven cloud-computing security risks".  In summary the risks are:

1.       Privileged user access

2.       Regulatory compliance.

3.       Data location.

4.       Data segregation

5.       Recovery

6.       Investigative support

7.       Long-term viability

I am trying to provide some broad buckets to make sure we can discuss what security risks are important to each participant (consumer, business customers, service providers etc.)

What's really needed to help organizations better understand their cloud security requirements?

Awareness is the start.

My list is still a work in progress, so let's work it together...

In my post "Virtualization - Rethink Virtualization in Business Terms", I said - " a huge field with a great deal of market(ing) opportunity, AND a great deal of expectation..."

Its true when you consider virtualization and the resultant requirements in terms of: cloud computing, data center consolidation, servers, desktops, mobile devices, storage, networking, even file & print and beyond. Yet even if you follow my thinking, "secure virtualization" seems to be getting off to a slow start. Perhaps this is because it is seen as the standard security issue to be dealt with as such... 

Alone, virtualization is a way of improving cost management options amongst other key business drivers.

Alone, security is often either expected as a core of a solution or ignored.

Putting them together in a single project, especially one focused on cost reduction, risks taking the path of least resistance - i.e. We'll worry about security when it's an issue....

Sure, sounds like a plan (sarcasm)

To me, while virtualization is a hot topic and an easier sell, virtualization still has several traits similar to the security market and related implementations-

• 
  
  The concept or requirement can be applied to almost any situation. Sometimes twisting to suit, the requirements can vary significantly depending on context.  See the initial VMWare announcement around VMSafe. Originally this was muted as a great security capability, but even a cursory examination showed that to bewishful thinking. In reality it did nothing much more than allow for basic monitoring. The long term goal however showed greater promise and if you check out the current status of VMSafe you can see that VMWare have made important steps to improve VMSafe's capabilitites, however, in reality, they are missing a critical part of the effort - standardization and interopability.
  
  


• 
  
  There are a bunch of startups focusing on virtual computing with a security bent all trying to get your attention to solve parts of the problem - see Trend Micro's interesting acquistion of Third Brigade.
  
  


• 
  
  Consolidation is an ongoing mode - see Oracle's acquistion of Virtual Iron (and Sun for that matter).
  
  

HP plans to help mitigate some of the issues like we do with our  HP Secure Advantage and HP Security Services. Along with HP's recent announcement around new Hardware, Software and Services Help Customers Realize the Promise of Virtualization, HP is working with closely with customers and partners to ensure we can do better, and we will.

This will become critical as we are considering the easier migration of services to the cloud, especially once they are virtualized.

So, what's missing today? Many things, especially as we look towards the approaching clouds.

I have been editing this entry for a while now, but an article came up this week that made me reference it over some of my own thoughts, as it nicely aligns with my thinking. The article was in this months Linux Magazine titled "The Hypervisor of my Dreams: A Virtual Wish List" by Ken Hess. In it he details several aspects of virtualization that are compelling, but more importantly the aspects of virtualization that need resolution and alignment, essentially:

• High Availability
  
• Superior Disk I/O
  
• VM Cross-Compatibility
  
• True Automated Workload Motion
  
• Agnostic Management
  
• Expanded Hardware Compatibility

I agree. For example, being more explicit about agnostic managment, we need common, tested API's for management - or at least a common set and map of functions. We are a long way from that today as vendors try to maintain competitive advantage.

Things will be tough for a while, as there are a few "standards" or approaches that would help here. The issue is that unless customers push vendors for these things, we'll have it tougher later on as we try to fill the gaps.

I would consider the following to also be on my wishlist, some of which are higher level, some lower:

• Common security models including AAA, key management, trusted root/boot support and more.


• 
  
  Better process (server priority) and data classification capabilities and related tools


• 
  
  Agnostic network support for better monitoring and security support

The potential for increased introspection available through VMWare's VMsafe API is valuable, especially if you use VMWare's management tools, or one of their partners tools. However, you have an issue in a heterogenous environment with Xen or Microsoft's HyperV. You either end up with multiple management tools from each vendor, or relying on management software vendors, like HP, too spackle the gaps as much as they can.

We've seen the OVF (Open Virtualization Format) and related Distributed Management Task Force (DMTF®) Virtual Management (VMAN) initiaitves. OVF provides help with offline patching and inspection (integrity checking) of VM images, but it is a small start and it took years to get to a 1.0 release just this March. DMTF are also developing an Interoperability Program for Virtualization Management so there is good stuff happening. However, in relation to the requirement for VM cross compatibility this is far from it. Being able to inspect OVF images does not allow us to move from one VM vendor to another because the meta-data can be vendor specific.

Compare that approach with the VMWare vSphere and Cisco Nexus 1000 tie up cloud computing. Consider the positive and negative implications of tying your infrastructure to that networkng combination. It limits your flexibility for migration. It locks in a security model that may not meet your needs. That may be fine if you really want the Cisco security model extended to the cloud, there is nothing specifically wrong with that choice given Cisco's position in the network environment. However, that's a high cost for a lock in especially as you move out into cloud providers that may not support that networking option, and you're still left with the management issues. Many people like Cisco's management tools for security, many do not.

What else are we missing? Customer involvement. You need to get involved to make your needs heard by the vendors, in the standards, and to ensure that the required openness occurs!