Cloud computing's future depends on securing it, industry execs say

Journey is 'inevitable,' RSA's Coviello says

SAN FRANCISCO — Cloud computing has the ability to complete the transformation of information technology that was started by the Internet, but its success depends on security, Art Coviello, president of RSA, the Security Division of EMC, said Tuesday in his opening keynote of the RSA Security Conference.

“The journey to the cloud is inevitable, and we are going to have to secure it,” he said.

Cloud computing has the ability “to make sweeping changes in the infrastructure,” by freeing organizations of the need to spend two-thirds of their IT budgets on basic expenses. Instead, they can invest in resources on-demand, he said. “But we have to be careful we don’t end up in security hell.”

Scott Charney, Microsoft’s vice president of trustworthy computing, said cloud computing has new implications for the company’s nine-year-old Trustworthy Computing Initiative. It moves the goal of end-to-end trust out of the PC or the enterprise and into a new environment where no one entity has access or authority. Identity authentication and privacy will be the key elements in enabling cloud computing, Charney said. 

RSA has announced an initiative with VMWare, Intel and Archer Technologies to enable the visibility into cloud security that will be required to ensure that policy and regulations can be enforced in the virtual environment. Microsoft has announced that it is making cryptographic algorithms for its U-Prove minimal disclosure ID management scheme available for use under an open-source license.

Coviello said the security industry has the opportunity to ensure that security is built into cloud computing from the beginning so that it can be used to its full potential. “People must be able to trust the cloud,” he said.

In this early phase, there is little critical information and few critical applications being used in the cloud, so security requirements have not yet been demanding. But as adoption expands and risks increase, “security will get pushed down the stack, deep into the virtual layer,” he said. As resources are outsourced, the ability to enforce and document policies, and demonstrate regulatory compliance will be needed, he said.

The movement of data into a virtual environment not controlled by individuals requires a rethinking of how we approach identity management, Charney said. Enabling security along with privacy requires the ability for a user to prove the minimum necessary information about himself during a transaction, without exposing unnecessary information. That is the purpose of the U-Prove scheme. It is “claims-based” identity system based on proving certain claims about the user without including the entire identity if not necessary.

Charney warned there are also social, political and legal issues that will have to be addressed as more data moves into the cloud.

“The cloud has the ability to alter the balance of power between the individual and the state,” he said. “Everything will go to the cloud. Government and litigants can go to the cloud and get that information without coming to the individual.”


 



About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • electronic roadway sign (SHUBIN.INFO/Shutterstock.com)

    How hackers could cause chaos on America's roads and railways

Reader Comments

Wed, Mar 3, 2010 Larry Medina West Coast, USA

The vendor and service provider community is so sure this is "inevitable" and I'm sure they're starting to re-design their business models around it. Somehow, they have the misguided conception that organizations are going to turn control of their data management over to third parties as a good business practice. Statements like these are the scary parts of this: "It moves the goal of end-to-end trust out of the PC or the enterprise and into a new environment where no one entity has access or authority." "The movement of data into a virtual environment not controlled by individuals requires a rethinking of how we approach identity management" "Enabling security along with privacy requires the ability for a user to prove the minimum necessary information about himself during a transaction" "Everything will go to the cloud. Government and litigants can go to the cloud and get that information without coming to the individual" Naturally, most of these were preceded by language stating the need to ensure the security exists within 'the cloud' prior to organizations moving into it and that most of this will need to be deeply embedded in the virtual systems. And my intent is not to take the above comments out of context, but the concern is similar to the HIPAA requirements for Business Associates Agreements for those handling health related records in storage for medical professionals, will the cloud operators be required to sign similar agreements accepting full liability for exposure of content in their control? SLAs only do so much, and when you get into a legal issue and you're require dot provide an FRCP compliant "ESI Data Map", how will you do this for any data 'in the cloud'?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group