Sun CTO to form cloud security forum

Sun's UK chief technology officer is working with major British public and private organisations to set up a cross-sector forum to resolve cloud-computing security issues.

Cloud-computing systems could become as important as the UK critical national infrastructure, and they need to be secured in an appropriate manner, Wayne Horkan told ZDNet UK on Thursday. The Sun executive said he is working on setting up the forum alongside organisations such as the CBI, Microsoft and Accenture; government departments such as Berr, Dius and the Treasury; and the government's chief scientific advisor, Professor John Beddington.

"I'm concerned about the security of the supply," Horkan said at the Cloud Expo Europe conference in London. "If cloud computing becomes a utility, it's important to me that the UK as a nation state has good security of supply. It's important that the UK has the appropriate capability in cloud computing."

Horkan is also concerned about cloud-computing compliance issues facing the public and private sectors. Most of the major cloud-computing suppliers, which include Amazon and Google, are US-based. Horkan said that European organisations using cloud services based outside Europe face the possibility of not being in compliance with European data-protection law, as sensitive customer data could be inappropriately shared, or exposed through legal discovery.

"In Europe, you could put your data on the Google cloud, where it would be stored on its Lithuanian or Zurich datacentres," said Horkan. "Overnight, the data gets uploaded onto an American server. The implication is, if you have sensitive data you are legally obliged not to share, you will inadvertently have shared it."

Horkan said UK legislation such as the Data Protection Act, and regulations such as PCI-DSS, need to be examined by companies considering cloud computing. However, he said he plans to push the UK government to re-examine data legislation.

Amazon Web Services (AWS) told ZDNet UK on Thursday that businesses using its services it could be compliant with data law.

"We provide certification for datacentres to comply with regulatory rules, and we offer Amazon in the EU. If you need to host in the EU we have datacentres in Ireland," said Simone Brunozzi, AWS evangelist. "Large organisations are solving this [problem] by encrypting data, or [contractually] through terms and conditions."

Brunozzi added that Amazon had an interest in maintaining the security and availability of its services. "If we are down for one second, we lose a lot of money," said Brunozzi. "We have a lot of focus on security because we have details of millions of [payment] cards."

However, AWS is not a "silver bullet" for solving cloud-computing compliance and security issues, Brunozzi admitted.

"For some situations, it doesn't make sense to move to the cloud yet," said Brunnozzi. "We give security and availability, yet some specific use cases are not moveable to the cloud yet [in terms of PCI-DSS compliance]."

Simon Wardley, the software services manager at Ubuntu Linux backer Canonical, said companies might become less competitive if they failed to utilise cloud computing. "There's the risk of being left behind," said Wardley. "There's no point in turning up to the cat fight with a snazzy rifle if everyone else has brought a tank. You need to evolve even to stand still relative to an ecosystem."

The next version of Ubuntu, Karmic Koala, will have extensive built-in cloud-computing functionality.