Recently in Cloud Category

Thanks to Hoff's tweet earlier today, I watched a presentation titled Enterprise Cloud Risk and Security.Not only is the presentation an excellent use of a slide deck (no narration necessary), but some of the observations that are outlined in it are representative of the thought processes of someone who gets it.

"Fundamentally, engineering is about knowing and respecting the limitations of one's materials. ICT systems are built with software being one of the key materials. And software is thoughstuff. For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material"

Masterson goes on by arguing that "We need to stop thinking in terms of security and start thinking in terms of health". This argument is based on the premise that any time a fairly simple and controlled solution is scaled up, complexity is introduced that invalidates many of the controls meant to keep it secure.

A little later, Masterson introduces another interesting concept: Redundant Arrays of Independent Clouds (RAIC). Brilliant ;) The simple (and compelling) reason for RAIC is a bit of knowledge derived from biology and in particular, ecosystems: diversity = health.

Issues covering legacy security technologies such as firewalls are also briefly touched upon:

"Concept like 'firewall' embody Russellian assumptions, and are only useful in the small. Instead, consider concepts like quarantine, sterilization chambers, and disinfection, for example."

This is not to say that firewalls cannot be useful, but as we see more and more distribution in our computing infrastructure and our data being spread globally, local perimeters will continue to be necessary, but no longer sufficient.

All and all a very interesting presentation in a novel format, bringing some good things to think about. Go watch it.

But now there is the danger of a new form of lock-in. "Cloud-computing"-the delivery of computer services from vast warehouses of shared machines-enables companies and individuals to cut costs by handing over the running of their [enterprise applications] to someone else, and then accessing it over the internet.  [..] But customers risk losing control once again, in particular over their data.

The Economist, May 30th-June 5th, p. 18

Others have said it in the past, and more people will say it in the future: The Economist is one of the best newspapers in the world and well worth its price. The publication pleasantly surprises me on many occasions, and this issue is no exception.

While the article is not very long, or even prominently positioned, it does contain a few very important observations: be careful not to lose control when moving existing data into the Cloud, and address the risk of not being able to move data out of the Cloud once it is in there.

I am heading over to Jersey City tonight to attend an meeting on Cloud Security, organized by IOActive. Despite Hoff's best efforts, cloud security confuses me. I understand information security and I understand "The Cloud" as well as most other people do (which isn't saying all that much), but I fail to see how combining the two suddenly make a completely new field that is worthy of all the buzz it gets.

We have been dealing with outsourced business functions for a long time and most organizations are used to doing it; some have even gotten quite good at it.

Reading the Cloud Security Alliance's document titled Security Guidance for Critical Areas of Focus in Cloud Computing. If you have not read that document yet, go do it now. If anything, the architectural framework defined in it is very worth while and I hope it will bring the Cloud playing field to adopt similar terminology when talking about identical things.

Keeping in mind Hoff's distinction between the three architectural layers (Infrastructure as a Service, Platform as a Service, and Software as a Service) clearly helps in shaping our perception of risks associated with outsourcing a business function, and it will support defining our responsibilities as an outsourcing organization.

The document provides guidance on how to direct existing efforts to facilitate Cloudification. There isn't all that much in there that is truly new.

The fact that we are struggeling with this shows once more that our field is young and emerging, and that we haven't really even reached adolesence. It is a fun time, but as with all new things, stepping back every now and then to reflect what's going on should also be a priority.