My previous blog discussed the “Securing the cloud ecosystem” panel from Cloud Computing 2010.   The panel had representation from a security vendor, (Scott Chasin from McAfee), two large professional consulting organizations, (Ronald Knode from CSC, and Shahed Latif from KPMG) and a services company (Niall Browne from LiveOps).  The topic of where are we now with cloud computing and where will we go from here was so interesting, I decided it was worth its own blog.

Cloud computing security is currently in the classic list phase.  There are tens, if not hundreds, of lists available online spelling out the seven most important things a large (medium, or small) company should do to ensure cloud security.   Add whether or not the enterprise’ IT is mature.  Move to whether we are talking about SaaS, Paas, or Iaas.  The lists go on and on.  Lesson of the lists – Don’t forget why you created the list in the first place.  Don’t lose track of why you want your cloud to be secure.  Security is not just about preventing threats; it is about adding business value to the enterprise.  Examine what you are doing and be sure it IS adding value to the enterprise. 

So here is my addition to the lists: Three things Cloud Computing Security needs to move into Cloud 2.0.

1.)    Agree on standards and how to measure them. Customers are asking about standards and transparency.  We don’t have any useful standards today.  The existing standards are based on old models. For instance,  SaS70 is a10 year old standard which addresses a one time (or maybe annual) snap shot. Cloud consumers must figure out the standards they require from cloud providers.  Even after we agree on standard, we need to determine who should verify the compliance.  Should that be the cloud vendor? Should that be a trusted third party?  Can the enterprise do it themselves?

2.)    Figure out how to handle identity and access management.  Today, no one has really cracked the Identity access and authentication mode for the clouds.  The best we have today is to extend Single Sign On (SSO).  But does that model continue to scale for a global, cross enterprise, mixed reference, multi level cloud strategy? (Probably, not.) In the next year, products will hopefully surface to address these issues.

3.)    Determine how we to obtain the necessary transparency.  Today, many committees are busy working on standards. One caveat is that most successful standards come from successful reference models. Within the next year or two, we will most likely agree on some standards.   Next we will have to address how to convince the cloud providers to implement the required infrastructure so we have access, in a real time, to the information specified in the standards.

If you don’t know where you are going, any road will take you there.  We know we are headed to the clouds.