Phil Lieberman poses the question this morning via HelpNet: “Is anyone in control of cloud security?”  He covers a lot of ground, from the Trusted Cloud Initiative to security profiles from individual providers.  Anyway, it’s an interesting read.

I like his point of view.  I think he might have said it more strongly, but he ultimately gets to the point that the person “in charge” of the security of your cloud vendor is the same person “in charge” of any other service you ask a contractor to provide… namely: you the customer.  It really can’t be any other way.   Why not?  Because security requirements vary – and it’s up to you to contract with the vendor that bests fits your security model, policy, and environment.

Not all vendors will or can fit into your paradigm and align with your posture.  For example, maybe you don’t process sensitive data.  Maybe you process data where only one mis-step can get you arrested or fined heavily. You’ll find that the requirements dictate your vendor selection and your contract with the vendor.  Trying to introduce security requirements after the fact?  Well, that’s not a recipe for success.

Anyway, a very useful article and a good launch-pad for further research/reading/thought.

Today I came across an interesting discussion about cloud computing being used by bad guys for the purposes of attacking the computing systems we all try to keep safe on a day to day basis.

The describe a couple of scenarios: cloud computing as a launch pad for brute force attacks (e.g. password cracking), cloud computing being used to hide stolen or illegitimate data, as well as cloud computing resources being directly attacked by hackers.

It’s all very interesting.  Of course it makes perfect sense: just as the paradigm shifts in such a way that businesses capitalize on outsourced computing resources (storage, bandwidth, processor time, etc.), so too can attackers leverage the paradigm shift to forward their activities.  And looking forward down the road, as these services increase in availability/accessibility - and as competition drives prices down – it’s likely to create even more and better incentives for criminals to leverage cloud platforms for their nefarious purposes in future.

Anyway, all that got me thinking about cloud computing and the dynamics of the marketplace… and caused me to conclude that “cloud” is a bit of a misnomer.  Cloud implies a uniform substrate, which it is not.  Everyone talks about the commoditization of computing resources, but this is a lie.  There is no such thing as a true commodity.  Not really, anyway.

Take two bushels of wheat.  Traditional economics teaches us that wheat is fungible: any two bushels are equivalent – both in value and purpose.  But is that really true?  Yes and no.  Say I grow one bushel of wheat on an organic farm; say I grow the other hydroponically in a vat of water infused with lead chips and arsenic.  Are these two bushels identical?  Which would you rather eat?

So clearly, “sameness” (or fungibility if you prefer to say it that way) is only true to the extent that there is a certain context within which to operate.  In other words, two bushels of wheat are only the same to the extent that we define parameters that govern “sameness”.  No two bushels will ever really be the same: they’ll have different numbers of kernels, different chemical makeups based on the soil they’re grown in, time of harvest, fertilizers used, pesticides sprayed, etc.  They only approximate “sameness” within a defined framework that we all accept.  This is why the wheat commodities market has a clearly-defined, objective, standard for grading wheat.  The grades are the “standards for sameness” within that market.  Every commodity market has an equivalent.

Computing doesn’t.  A service provider that defines security rules and operates within them is different from a service provider that does not.  It’s up to the customer to gauge this for him or herself.  That is not how commodity markets are made.

What’s my point?  That it’s easy for organizations to forget this fact and buy into the commodity illusion for the purposes of cloud computing.  But I think we need to resist the urge to do this – no matter what we read in magazines.  Because the cloud marketplace does not yet have an objective standard defining parameters like security, vendors are providing very different services with very different sets of security profiles.

It’s just like the wheat.  Do you need your wheat to be edible or are you fermenting it for biofuel? If you’re fermenting it, maybe you don’t care that a particular bushel is laced with arsenic or lead.  If you’re using it to make beer, you’re going to kill your customers if you choose poorly.

The point is, security requirements matter.  It’s up to you to choose wisely.

eSecurity Planet just published Diana’s Cloud-base E-mail security buyer’s guide:

Sit down with the IT security team of almost any organization these days and you’ll probably hear one hot topic come up again and again – cloud-based e-mail. Organizations have used cloud-based anti-malware and spam filters for years, but until recently most have been reluctant to move mail servers, such as Lotus Notes and Microsoft Exchange, out of the enterprise data centers. Concerns about security and control of the servers have outweighed perceived benefits of a cloud or off-premise solution.

No more. It’s a new decade and a paradigm shift is in full swing – e-mail is moving into the cloud at a rapid pace. The shift to cloud E-mail has been fueled by cost concerns and made possible by the rapidly maturing offerings in rich collaboration and communication suites like BPOS (Business Productivity and Online Standard Suite) and Google Apps. A wide variety of organizations and enterprises have already made the switch: Klamath County Oregon and Swedish Red Cross are BPOS customers, Capgemini, Genentech, Motorola Mobile Devices are using Google Apps for Business, and Northwestern, Notre Dame, and Wesleyan are Google Apps for Education users.

For the rest of the article, please click here.

Back in September, Ed and I recorded a video on security in SaaS for SearchSecurity. Just saw it posted so am sharing the link now.

SearchSecurityChannel.com recently sat down with Diana Kelley and Ed Moyle of SecurityCurve to discuss how to get involved in security SaaS. Learn which security technologies especially lend themselves to the SaaS model, what the economic climate means for security SaaS offerings, as well as what policies VARs should be offering to prevent against insider threats.

eSecurity Planet asked us to cover the announcements at RSA this year. Here’s the first part of our coverage:

If 2009 was a lackluster year for security product sales, you certainly wouldn’t know it from some of the vendors on the floor this year at the RSA® Conference in San Francisco. In contrast to last year’s show, attendance appears up – both from delegates and vendors alike. However, things aren’t all rosy. A number of vendors opted not to rent space on the show floor citing economic concerns. Though RSA is not quite back to “heyday” levels from a few years ago, if this year’s show is any indication, the security industry is showing signs of life despite global economic setbacks.

So what is everyone here to learn about? Surprisingly, much of the attention of show attendees is not on completely new themes, but in re-examination of an existing topic that has been with us for some time now. Cloud computing, a logical conclusion of the increasing move to both off-premises and virtualized environments is of primary interest to both vendors and delegates here at the show. RSA President Art Coviello set the direction and tone of the official program with his well-attended cloud-focused keynote and it’s clear that interest in these topics has not waned – in fact, if anything, it’s increased. And vendors are pushing this agenda pointedly as the cloud meme dominates the show floor.

For the rest of our write-up, please click over to eSecurity Planet.

I’ll be doing the keynote for the TechTarget eMail Saas security seminars this month. If you’re in any of these cities – please consider registering for the free half-day seminar.

Thanks!

Chicago, IL
Tuesday, February 16, 2010
Hyatt Regency O’Hare

Boston, MA
Thursday, February 18, 2010
Sheraton Needham Hotel

Toronto, ON
Tuesday, February 23, 2010
Hilton Suites –
Toronto / Markham Conference Centre and Spa

Houston, TX
Thursday, February 25, 2010
The Magnolia Houston

Karen Hobert, one of the co-founders of the Collaborative Strategy Guild, and I recently teamed up to write a Messaging Security Buyer’s eGuide for Information Security.

In the eGuide we cover:

• Messaging Security Components
• On-Premise vs. SaaS/Cloud
• Logging, Archiving, Reporting, and Compliance Considerations

It was a busy summer and I forgot to mention that Char Sample, Senior Scientist at BBN and I worked on a series of Cloud Computing Security articles together. If you haven’t seen them yet, please consider taking a look!

Overview: What is Cloud Computing?
Part I: Infrastructure Issues
Part II: Choosing a VPN type to Connect to the Cloud
Part III: Routing and DNS Security Threats