What do Virtualization and Cloud executives think about 2011? Find out in this VMblog.com series exclusive.
Contributed Article By Dave Asprey, VP Cloud Security, Trend Micro
6 Things to Keep CIOs up at Night When They Think About Public Clouds in 2011
In the age-old tradition of making predictions about the next year, here is my list of what CIOs will worry about in 2011 when they think about putting real enterprise applications on the cloud. I'm focusing on Infrastructure as a Service, although many of these predictions apply equally well to Software as a Service and Platform as a Service.
Public Cloud Administrators Will See My Data
In most IT organizations there is an admin who can probably look at any piece of information inside a company if he really wants. Sure, we put access logs into place, but let's face it, anyone with enough savvy can usually erase their tracks. At least you can be reasonably sure that it's one of your employees when the data is on your server. In the cloud, CIOs will worry that one of the admins from the cloud provider will do the same thing. After all, it's happened before... (http://gawker.com/5637234/) Look for encryption to become more important.
My Shared Storage Might Be Vulnerable
14 years ago, at the company that invented (http://en.wikipedia.org/wiki/Exodus_Communications) internet collocation, some customers refused to allow their network traffic to share a network switch with other customers even though it was safe. The same fear has migrated from the network to storage as CIOs ponder whether it's safe for their data to share a disk with their competition. As you might imagine, the answer is "it depends," but I predict that this year, shared storage will become more acceptable to CIOs as encryption and key management get a lot of attention this year.
Sharing Any of My Infrastructure is Dangerous and Bad
As my three-year-old daughter says, "I don't want to share. It's MINE." Nonetheless, sometimes she has to share because the Powers That Be said so. In her case, that means Mommy and Daddy. But in the CIO's case, the Powers That Be are shareholders and CFOs looking to shift capital expenditures to operational expenditures. It will be up to IT to figure out how to make the cloud secure enough, because they're going to have to share.
Public Cloud Providers Aren't as Good as Me About Security Procedures
Proper adherence to security best practices will be a top issue for enterprises looking to put mission-critical data in the cloud. Some cloud providers have gone to the trouble of getting certifications that they adhere to security best practices, like ISO 27001 and SAS70 II, which is a good start for making CISOs feel more comfortable. But it's just a start. Most cloud providers are startlingly vague about the details of their security policy, even with customers who've signed an NDA. Expect to see lots of long tedious descriptions of newly published security procedures from public cloud providers targeting the enterprise in 2011. That's what it's going to take to convince CISOs that clouds are trustworthy.
I Have No Idea Who Saw My Data
CISOs know that logging and access control across every tier of infrasturcture is vital to security, particularly in regulated environments. However, most cloud providers do not share physical access logs or even administrative access logs with their customers. That means it's up to enterprises to verify that data is encrypted everywhere it may be accessed but not logged, and it's up to cloud providers to offer more transparency. In 2012 we can talk about adding non-repudiation to those logs.
Blame the Cloud - It Wasn't Me!
As enterprises move more mission-critical systems to the cloud, the issue of liability will become more important. Today, cloud providers accept liability up to the cost of the service they provide. That means that even if the cloud provider was negligent and lost your data or disclosed it publicly, you basically get a refund, even if it kills your company. I once worked for an auto parts manufacturer which provided truck frames for a big auto company. We had to write a check for $150,000 per minute if our "manufacturing as a service" went down, because it affected the entire supply chain. The cloud is no different. Cloud providers which step up to business impact SLAs will be able to charge a lot more than commodity cloud providers. Look for insurance companies to step in to spread the risk.
About the Author
As Vice President of Cloud Security, Dave Asprey is responsible for thought leadership and technology evangelism for Trend Micro’s cloud computing and virtualization businesses.
Dave joined Trend Micro after a spending most of 2010 as an Entrepreneur in Residence at venture capital firm Trinity Ventures, co-founding a cloud startup, and selling a web-based virtual desktop startup. He was previously VP of Technology and VP of Business & Corporate Development at Blue Coat Systems. He spent 2 years as VP Technology & Marketing at cloud networking vendor Zeus Technologies. Earlier, he ran strategic planning for Citrix’s Virtualization Business Unit and began his career in the cloud as a co-founder of the professional services group at Exodus Communications, then as Sr. Director of Product Management at Speedera, now part of Akamai. Dave also ran the Web & Internet Systems Engineering Program for UC Santa Cruz for 5 years.
Dave created and launched two early cloud computing service offerings, and his writing on the cloud has been published by the New York Times, GigaOm, Fortune, and CNNmoney, and PriceWaterhouseCoopers published his book-length piece on systems management. He is a sought-after speaker and panel moderator.