Continuing my tentative steps into cloud security, I went to a talk given by Rafal Los of HP (http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/bg-p/sws-119) last night at the Chicago Cloud Security Alliance chapter meeting. The purpose of the talk was to understand cloud security from two perspectives; as a consumer and as a provider of cloud computing services. The talk drew quite a bit of discussion from the crowd, mainly due to disagreements on terminology and over different approaches to managing cloud providers.
Some key takeaways for me:
- Cloud service providers pretty much cover the entire stack, from infrastructure all the way to software. However, you as a smart consumer still need some in-house expertise on the entire stack so you can adequately manage your providers.
- Transparency is key for a cloud provider, but transparency means more than just sales sheets and sanitized ISO/ITIL compliant security policies. Think open Bugzilla style issue trackers that customers can follow to see issues affecting the service offered by their cloud providers.
- Good lawyers are needed by both cloud providers and cloud consumers to manage liability (yes, even cloud consumers are exposed to some new liabilities when using cloud services.)
- Vendor lock in to a cloud provider is scary to consumers; again good in house expertise is needed to design your cloud strategy to migrate easily between providers.
Overall, it was a useful, thought provoking discussion that provided insight into areas of cloud computing I hadn’t thought of before. For any Chicago locals interested in the Chicago CSA, their website can be found here.
Thanks for the write-up! I’ve posted the slides here: http://www.slideshare.net/RafalLos/cloud-security-alliance-challanges-of-an-elastic-environment-v8a-public in case anyone wants them as a conversation starter
Thanks for the link Rafal!