The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Cloud computing security - who knew
By: Scott Bradner
Cloud computing is big even though there less than perfect agreement on just what it is. As a measure of success, Google gets more than 25 million hits for the term "cloud computing". If you add "security" to the search you still get 20 million hits but, to judge from the first few screens full, a lot of the hits turn out to be articles focusing on the security issues with cloud computing. A representative example is an article quoting Cisco CEO John Chambers saying that cloud computing is "a security nightmare." Since cloud computing will not reach its potential without a good security story it is good to see that there are now some potentially meaningful efforts to think about the security issues.
One of these efforts is by the ad-hoc Cloud Security Alliance (http://www.cloudsecurityalliance.org/) which published "Security Guidance for Critical Areas of Focus in Cloud Computing" (http://www.cloudsecurityalliance.org/guidance/csaguide.pdf) white paper last week. Sad to say, the guidance is as focused as the title of the white paper.
The Cloud Security Alliance does seem to have its heart in the right place, and the white paper does provide a very good overview of a current understanding of what cloud computing includes but it also demonstrates clearly that the current understanding is quite fuzzy with far too many facets. The white paper lists five principal characteristics of cloud computing, three could delivery models and four cloud service deployment and consumption modalities. It seems like cloud computing can be just about any combination of these facets. This, obviously, makes any discussion of security quite a challenge.
The Cloud Security Alliance white paper tries to address 15 domains, from architecture to virtualization and touching on legal issues, interoperability and incident response, among many other topics, along the way. The list and discuss many issues that need to be considered in each of these domains, many of which I had not thought of, but which, taken as a whole, are rather daunting.
Some of the discussions of the individual domains are very good. I do recommend them to anyone who is considering the processing any information that is not totally public using cloud computing. The discussions will not make you feel better but you will better know what there is not to like and what you need to worry about.
What is missing in this white paper is a sense of a whole. It is more of a pile of issues than a unified proposal to address them. In this way the title of the white paper is quite accurate since it highlights the critical areas that need to be thought about.
Who knew that the concept of security in cloud computing was even possible to imagine, anyone watching cloud computing developments to date would not have guessed that was possible. But efforts like the Cloud Security Alliance, as well as a few others I found in my searching, indicate that all is not lost -- even if the road will be a long and confusing one.
disclaimer: At more than 370 years of age, Harvard has traveled many a long and confusing road - mostly the final result as been good. But I've not seen a university position on the sensibility of this cloud computing road map so the above travelogue is mine.