At the InfoSec World 2011 conference, in the sessions I attended, there was quite a bit of discussion about moving to the cloud as well as cloud outages. What did I discover:
- Migration to the cloud requires planning and resources
- Migration to the cloud requires a team including legal
- Diversification is very important
- It must be easy to migrate
- Security as a Service is a valid option
- I should not lower my standards just to enter the cloud
Some of this was discussed at InfoSec World 2011, The Virtualization Security Podcast of 4/21, and while at Innovations at Epcot Center.Migration to the Cloud
If there was one major take-a-way from the InfoSec World 2011 conference as well as the Summit on Virtualization and Cloud Security, it was that going to the cloud requires planning,understanding, and a team that make up all enterprise teams affected by such a move which also includes the legal department. So who should definitely be part of this team?
- Security (including audit and compliance teams)
- Systems (Application Owners, Virtualization Owners, Stack Owners)
- Business Process Owners
Such a team should have backing by a C-level executive as well. The goal to such a migration would be to make use of cloud technologies without loosing any functionality, security, or capabilities. Legal is required to be part of this process as cloud provider’s have their own service level agreements, governance, regulatory, and compliance objectives and terms that may not be in line with your own organization. This team would also determine, based on available cloud technologies and capabilities, what aspects of the environment could be placed within the cloud.
While in on of the Innovation areas of Epcot, they had two areas that really brought to light the requirement for diversification and ease of migration with respect to the cloud.
The first is ease of use: Has anyone ever tried out a Segway? I got that opportunity and it is extremely easy to use, you step on carefully and then control the Segway just like walking, running, and cycling all put together into one set of actions. In essence, it just works and using skills we already have. This is very important when moving to the cloud. It requires a bit of care early on, but should just work from then on and be easy. I am not so sure things are very easy yet with respect to the cloud, but I hope this is the end goal.
The second is diversification: You would not place all your hopes for retirement on just one financial instrument would you? I know I would not, and there was an interesting game at innovations to walk you through investing. But watching it, really hit home that with the cloud you must diversify. Do not put all your eggs in just one basket. If the Amazon failure teaches us anything is that we need to diversify our cloud holdings to not only increase our availability, but make our cloud usage resilient.
Now if you tie the two together, ease of use and diversification, you are faced with a pretty major dilemma when talking about the cloud, that is that the clouds really do not inter-operate. Amazon does not speak to Salesforce, does not speak to vCloud, does not speak to this or that cloud and visa versa. To make cloud a utility they must inter-operate and this is where the Cloud Security Alliance could really help. But each cloud provider needs to pick up the standards out there and make it easy, for example, not everyone follows the DMTF standards for virtual machine layouts, and since the virtual machine is the most common object at the moment, we have a break down in making the cloud ‘easy to use’. Perhaps this is why VMware wants to move to making the Application the core of virtualization and cloud computing?
Security as a Service
CloudPassage joined us on the virtualization security podcast while at InfoSec World 2011, and we discussed Security as a Service as a part of any cloud or virtual environment deployment. This becomes more and more important as we move forward to cloud as we should not lower our security standards to enter the cloud. We need to protect our data and tools such as CloudPassage, Trusteer, Zscaler, and SecureCloud from Trend Micro provide us ways to do this within the cloud without requiring to be part of the cloud infrastructure. In essence, these tools sit within or on top of the cloud environment to give you better overall security. However, there is still a need for a properly secured cloud environment, that includes physical and virtual environment security.
Security as a Service is just one more tool within our toolbox for Security.
After several days at InfoSec World 2011 and Disney World during the Amazon failures, brought to light that at the moment cloud may appear on first blush to save money it may not unless you involve the proper people from the beginning, plan your deployment, carefully craft your steps to roll out elements of your environment to a diversified cloud. We should never lower our standards just to use the cloud, but we should ensure the cloud meets our requirements. If those requirements are not baked into the cloud then look to Security as a Service and other service options.