Recently in Cloud Category

The month of April was a month in which I had three public speaking appearances. It started out on April 16 when I addressed the New York Higher Education Technology Forum at Hofstra University. The talk tried to drill home the point that all this Cloud stuff is all nice and fluffy, but that we, as cloud consumers, must make sure that our vendors deliver better service for less money. If we fail to do that, we are not making any progress, and Cloud will just be another concept that is doomed to fail.

The second talk was on April 20 at SOURCE Boston, where I was in the fortunate position to mentor a panel about career development, and especially about the role that mentors in that process.

In the third and final talk, on April 29, I addressed a gathering of non-technology people about the risks of social networking, and how to mitigate the risk for themselves. The most important point that I tried to make in that presentation was that on social networks, people may actually read what you write.

Both presentations are available for download, although they might not do you much good without the narrative.

Today, I will present "Information Security In The Cloud" at the New York Higher Education Technology Forum. The presentation will deliver a high-level overflow of some things to keep in mind when moving to a cloud-based infrastructure.

The one point that I hope to get across is that, in order to create real value, CIOs must hold cloud service providers to at least the same levels of expectation as they hold their internal IT organization. In other words, when a CIO expects an uptime from 99.99% from the internal IT group, a cloud offering should be able to deliver the same. If a CIO expect to run an infrastructure component for $25,000 (all-inclusive), the cloud offering should be at most the same price. If the CIO expects regulatory compliance and performance monitoring from the internal groups, he should do the same from a cloud offering.

Too often, business are willing to accept a lower level of quality from cloud offering. For example, some of the cloud providers that I have worked with directly typically do NOT promise an minimum uptime, or when they do, it is at most 99.9%. Taking such of offering would often reduce the quality of the end-user service offerings.

The presentation outline is as follows:

- Introduction
- Assumptions
- Traditional information security
- Cloud Considerations
- Top Threats (based on the Cloud Security Alliance report of March, 2010)
- Recommendations
- Conclusions

After I have done the presentation, I'll post the slide deck and I may even record an on-demand version for those who are interested. Don't expect a technical talk, or one that goes in great depths: that would be unsuitable for the audience, and I only have 45 minutes (including discussion).

Thanks to Hoff's tweet earlier today, I watched a presentation titled Enterprise Cloud Risk and Security.Not only is the presentation an excellent use of a slide deck (no narration necessary), but some of the observations that are outlined in it are representative of the thought processes of someone who gets it.

"Fundamentally, engineering is about knowing and respecting the limitations of one's materials. ICT systems are built with software being one of the key materials. And software is thoughstuff. For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material"

Masterson goes on by arguing that "We need to stop thinking in terms of security and start thinking in terms of health". This argument is based on the premise that any time a fairly simple and controlled solution is scaled up, complexity is introduced that invalidates many of the controls meant to keep it secure.

A little later, Masterson introduces another interesting concept: Redundant Arrays of Independent Clouds (RAIC). Brilliant ;) The simple (and compelling) reason for RAIC is a bit of knowledge derived from biology and in particular, ecosystems: diversity = health.

Issues covering legacy security technologies such as firewalls are also briefly touched upon:

"Concept like 'firewall' embody Russellian assumptions, and are only useful in the small. Instead, consider concepts like quarantine, sterilization chambers, and disinfection, for example."

This is not to say that firewalls cannot be useful, but as we see more and more distribution in our computing infrastructure and our data being spread globally, local perimeters will continue to be necessary, but no longer sufficient.

All and all a very interesting presentation in a novel format, bringing some good things to think about. Go watch it.

But now there is the danger of a new form of lock-in. "Cloud-computing"-the delivery of computer services from vast warehouses of shared machines-enables companies and individuals to cut costs by handing over the running of their [enterprise applications] to someone else, and then accessing it over the internet.  [..] But customers risk losing control once again, in particular over their data.

The Economist, May 30th-June 5th, p. 18

Others have said it in the past, and more people will say it in the future: The Economist is one of the best newspapers in the world and well worth its price. The publication pleasantly surprises me on many occasions, and this issue is no exception.

While the article is not very long, or even prominently positioned, it does contain a few very important observations: be careful not to lose control when moving existing data into the Cloud, and address the risk of not being able to move data out of the Cloud once it is in there.