Monday, December 21, 2009
I came across an article today, “Security in the Ether
” by David Talbot in Technology Review that speaks to a number of issues with cloud computing security. At nearly 3500 words, it’s a hefty piece that gives a wide perspective on the multifaceted debate around the definition of cloud, the ever-increasing security threats, and the future standards for securing the cloud.
Among a number of thought provoking areas, one note that struck me is that the National Institute of Standards and Technology (NIST) is on its 15th revision of the definition of the cloud. By my personal definition, I’ve been a proud user of cloud computing for over a dozen years, starting with free webmail via dial-up with 2 MB of storage. The advent of SaaS, distributed storage, and cloud based virtual machines have greatly expanded the potential definition. Over the next dozen years, the technologies will continue their unrelenting advance, with the definition potentially growing even more unwieldy.
As mentioned in the article, one of the benefits of continuing the work on the definition, irrespective of specific applications, would be the start of standardization of cloud security. As a CIO, my evaluation of the tradeoff between security and accessibility is a calculation that has the potential to be different for each type of data.
For large enterprises with petabytes of sensitive data, the threats are unlimited and response must be in kind. For SMBs, these same threats remain, and a secure cloud has the ability to level the playing field with their larger competitors. For CIOs struggling with the locations of future applications and data, this standardization stands to make the calculus much less daunting.
The article’s title, ‘Security in the Ether,” is appropriate and a challenge to the technology industry. Global access to virtually unlimited resources creates systemic risk that cloud and potential cloud users must work together to secure.
To that end, we have efforts currently underway to create a Cloud/SaaS community with initial support already from major vendors and VARs. These companies intend to use CompTIA’s vendor neutral position to play a vital role in establishing a common framework and syntax for identifying SaaS and Cloud skills and organizational best practices.
I encourage interested companies and individuals to join in this collective effort in 2010 – stay tuned for the Q1 announcement.