We'll delve into some early activities among several standards groups, including the Jericho Forum. They are seeking ways to help organizations approach cloud adoption with security in mind.
Here to help on the journey toward safe cloud adoption, we're joined by Steve Whitlock, a member of the Jericho Board of Management. The interview is conducted by me, Dana Gardner, principal analyst at Interarbor Solutions.
Here are some excerpts:
Whitlock: A lot of discussions around cloud computing get confusing, because cloud computing appears to be encompassing any service over the Internet. The Jericho Forum has developed what they call a Cloud Cube Model that looks at different axis or properties within cloud computing, issues with interoperability, where is the data, where is the service, and how is the service structured.
The Cube came with a focus on three dimensions: whether the cloud was internal
or external, whether it’s was open or proprietary, and, originally, whether it was insourced or outsourced. ... There are a couple of other dimensions to consider as well. The insource-outsource question is still relevant. That’s essentially who is doing the work and where their loyalty is.
They've also coupled that with the layered model that looks at hierarchical layer of cloud services, starting at the bottom with files services and moving up through development services, and then full applications.
The Jericho Forum made its name early on for de-perimeterization or the idea that barriers between you and your business partners were eroded by the level of connectivity you needed do the business. Cloud computing could be looked at the ultimate form of de-perimeterization. You no longer know even where your data is.
... Similar to SOA, the idea of direct interactive services on demand is a powerful concept. I think the cloud extends it. If you look at some of these other layers, it extends it in ways where I think services could be delivered better.
It would be nice if the cloud-computing providers had standards in this area. I don’t see them yet. I know that other organizations are concerned about those. In general, the three areas concerned with cloud computing are, first, security, which is pretty obvious. Then, standardization. If you invest a lot of intellectual capital and effort into one service and it has to be replaced by another one, can you move all that to the different service? And finally, reliability. Is it going to be there when you need it?
... There are concerns, as I mentioned before -- where the data is and what is the security around the data -- and I think a lot of the cloud providers have good answers. At a really crude level, the cloud providers are probably doing a better job than many of the small non-cloud providers and maybe not as good as large enterprises. I think the issue of reliability is going to come more to the front as the security questions get answered.
... It’s very important to be able to withdraw from a cloud service, if they shut down for some reason. If your business is relying them for day-to-day operations, you need to be able to move to a similar service. This means you need standards on the high level interfaces into these services. With that said, I think the economics will cause many organizations to move to clouds without looking at that carefully.
The Jericho Forum is also working with the Cloud Security Alliance on their framework and papers. ... It's a very complementary [relationship]. They arose separately, but with overlapping individuals and interests. Today, there is a formal relationship. The Jericho Forum has exchanged board seats with the Cloud Security Alliance, and members of the Jericho Forum are working on several of the individual working groups in the Cloud Security Alliance, as they prepare their version 2.0 of their paper.
... In addition to the cube model, there is the layered model, and some layers are easier to outsource. For example, if it’s storage, you can just encrypt it and not rely on any external security. But, if it’s application development, you obviously can’t encrypt it because you have to be able to run code in the cloud.
I think you have to look at the parts of your business that are sensitive to needs for encryption or export protection and other areas, and see which can fit in there. So, personally identifiable information (PII) data might be an area that’s difficult to move in at the higher application level into the cloud.
I think the interest in how to protect data, no matter
where it is, is what it really boils down to. IT systems exist to manipulate, share, and process data, and the reliance on perimeter security to protect the data hasn’t worked out, as we’ve tried to be more flexible.
We still don’t have good tools for data protection. The Jericho Forum did write a paper on the need for standards for enterprise information protection and control that would be similar to an intelligent version of rights management, for example.