Security key to unlocking cloud potential

Security is main issue holding companies back from adopting cloud computing, which needs to be retooled for mass enterprise adoption, RSA chief points out.

SAN FRANCISCO--Cloud computing was given equal billing with the advent of the Internet as the "most overhyped but underestimated phenomena in history", but the issue of security is holding back its full potential.

This was the gist of the keynote message on Tuesday at the RSA Conference by Art Coviello, the company's president, in which he also detailed key challenges--and opportunities--faced by the industry to encourage increased adoption of cloud computing. RSA is the security division of EMC.

To back this point, Coviello cited a recent survey conducted by CIO magazine that stated 51 percent of IT chiefs were unwilling to adopt cloud computing because of security issues.

"The challenge is to ensure that safety is designed and built into the cloud so that organizations of every size, from the smallest merchant to the largest government or multinational company, can make broad use of the cloud, fully confident that their information and transactions are secure," Coviello said.

"Our industry needs to deliver solutions that ensure levels of protection in the cloud would surpass what physical environments are providing today."

In order to do so, security needs to be embedded in the virtual layer and practitioners need to shift from safeguarding the enterprise architecture to adopting a posture of "information-centric" protection, he added.

During the keynote, Coviello also touched on the collaboration with Intel, which ZDNet Asia reported yesterday. The initiative would allow for a "hardware root of trust" to secure the entire cloud computing stack from the processor-level to applications running on the system, he explained.

This, he added, was an opportunity to revolutionize how security is presented and delivered "from the inside out".

Fellow keynote speaker, Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, further delineated the implications of cloud computing on the enterprise.

He said shared accountability, co-tenancy, identity and privacy, and jurisdiction are some of the issues that will have to be addressed.

For shared accountability in particular, Charney noted that third-party vendors engaged by companies to run hybrid cloud operations would have to "get the fundamentals right" in areas such as security development, standards and privacy.

However, resistance to cloud computing was evident, from thoughts shared by some speakers in a subsequent presentation.

According to Adi Shamir, a professor in Israel's Weizmann Institute of Science's computer science department, government intervention is the "elephant in the room" that nobody wants to discuss when it comes to cloud computing.

He cited the example of how mobile phone data is currently "flowing to the government" to illustrate the problems of maintaining one's privacy, and how advocating people to put their personal information up on public cloud networks would be the "government's wet dream".

Former U.S. National Security Agency Technical Director of the Information Assurance Directorate (IAD) Brian Snow, too, preached caution, noting he "was not fond" of cloud computing technology.

He added that for public or hybrid cloud networks to work, third-party service providers and organizations employing them have to make sure their contracts and service level agreements are "written very carefully".

Ultimately, in order for data to flow to the cloud environment, governments around the world need to define the "normative behavior" for accessing information made available in public clouds, said Microsoft's Charney.

"I'm a big believer that social policy should not be determined by IT. Rather, such policies need to be first determined, and IT should align itself accordingly [to these mandates]," he said.

Kevin Kwang of ZDNet Asia reported from the RSA Conference in San Francisco.