This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/042709bradner.html

Cloud computing security: Who knew?

Security has not been much of a consideration in cloud computing --but that may be about to change

'Net Insider By Scott Bradner , Network World , 04/27/2009

Cloud computing is big even though there is less than perfect agreement on just what it is.

As a measure of success, Google gets more than 25 million hits for the term "cloud computing". If you add "security" to the search you still get 20 million hits, but a lot of the hits turn out to be articles focusing on the security issues with cloud computing.

A representative example is an article quoting Cisco CEO John Chambers saying that cloud computing is "a security nightmare." It's good to see that there are now some potentially meaningful efforts to think about the security issues with cloud computing.

One of these is by the ad-hoc Cloud Security Alliance, which published a "Security Guidance for Critical Areas of Focus in Cloud Computing" white paper last week. Sad to say, the guidance is as focused as the white paper's title.

The alliance does seem to have its heart in the right place, and the white paper provides a very good overview of what cloud computing includes, but it also demonstrates clearly that the understanding of cloud computing is quite fuzzy with far too many facets. The white paper lists five principal characteristics of cloud computing, three cloud delivery models and four cloud service deployment and consumption modalities. It seems like cloud computing can be just about any combination of these facets.

This makes any discussion of security quite a challenge.

The white paper tries to address 15 domains, from architecture to virtualization, and touches on legal issues, interoperability and incident response, among many other topics. The alliance lists and discusses issues that need to be considered in each of these domains, many of which I had not thought of, but which taken as a whole, are rather daunting.

Some of the discussions of the individual domains are very good. I recommend them to anyone who is considering the processing of any information that is not totally public using cloud computing. The discussions will not make you feel better, but you will better know what there is not to like and what you need to worry about.

What is missing in this white paper is a sense of a whole. It is more of a pile of issues than a unified proposal to address them. In this way the title of the white paper is quite accurate because it highlights the critical areas that need to be thought about.

Who knew that the concept of security in cloud computing was even possible to imagine? But efforts like the Cloud Security Alliance, as well as a few others I found in my searching, indicate that all is not lost -- even if the road will be a long and confusing one.

Disclaimer: At more than 370 years of age, Harvard has traveled many a long and confusing road -- mostly the final result has been good. But I've not seen a university position on the sensibility of this cloud computing road map, so the above travelogue is mine.