CISOs rain on cloud-computing parade at RSA

SAN FRANSISCO -- Economic pressures are driving more businesses and governments to nervously eye cloud computing, despite myriad unanswered questions that swirl around a single central concern: security. This was backdrop for a panel discussion between CISOs at this week's RSA Conference.

"We're all in dire straits," said Seth Kulakow, Colorado's CISO. "Cloud computing is obviously on everybody's mind." But even if cloud-computing looks like a bargain, "it's got to have the same kind of risk controls you have now."

"It's imperative we look at it," said Nevada's CISO Christopher Ipsen, who had noted that the economic crisis and housing-market collapse have left his state's financial situation "extremely bad."

"We are doing some cloud services with e-mail," said California's CISO, Mark Weatherford. "It's very efficient. We can't ignore the benefits in the cloud, but we have to proceed carefully." The Los Angeles Police Department is regarded as the state's early adopter in all this since it's moving to a cloud-computing arrangement with Google.

But giving up control over IT infrastructure and software assets in favor of rental and pay-as-you-go models evokes anxiety, too. "What I'm most worried about is catastrophic failure, and if we put all our eggs in one basket, someone in the middle hold the keys," Ipsen noted.

IT customers are not the only parties that need to evolve their thinking, panelists said.

"The cloud represents a fundamental change in how vendors will work with their customers," said another panel participant, Forrester Research analyst Jonathan Penn. "We need some sort of standardization in this so we can have some way of comparing platforms and levels of service so I can understand what I'm getting."

IDC analyst Chris Christiansen said the cloud security market is estimated at $1 billion, mainly for e-mail and Web services, and trying to track it is going to be a challenge since many new forms of product and service delivery are arising.

So, too, are horror stories, including one about an enterprise that needed to pay $170,000 merely to pry its own data back from a cloud service.

"Just about any kind of dispute can arise in a cloud-computing relationship," said Tanya Forsheit, founder and partner at Information Law Group. "The inability to obtain data, the level of data security, the allocation of liability in the result of a breach, and what are the default rules?" Privacy regulations in the United States and Europe, for instance, may mean that certain kinds of sensitive data simply cannot move about freely.

And a tricky aspect in cloud negotiations is that there's the strong perception that most cloud-service providers, Amazon Web Services included, are not "transparent" enough -- the preferred word many are using -- about their internal infrastructure. And this secrecy is making the legal situation more tenuous and expensive than it should be.

"I call it 'faith-based IT,'" quipped Chris Whitener, chief security strategist at HP. "They think they'll use it and nothing will happen to them."

But HP, now one of the world's largest data outsourcing companies since its merger with EDS, is itself in internal foment to re-define or expand its data center services, often completed in multi-year formalized contracts, to add more flexible on-demand, pay-as-you-go, cloud-like services. With announcements on that score possible later this year, HP is mulling possibilities such as cloud services with well-defined security services, though wondering whether customers so eager for bargains will pay a bit more for better security, such as PCI-compliant computing clouds.

But the high-tech industry, re-inventing itself in virtualization, does seem to be betting that customers will demand the means to extend security controls from the enterprise into the cloud. And this idea is triggering a new era of creative change among long-established security vendors.

At RSA this week, CA announced how its Identity Manager product can be used with Salesforce's Sales Cloud 2 service so CA customers can automatically provision and de-provision access and privileges. And Cisco outlined a product-development strategy for mobile and cloud-based security, with products expected in the second quarter.

Trend Micro, known for its antimalware software and services, is making a leap into the area of encryption, primarily to come up with new ways to protect customer data as it transits the Internet and ends up stored in a cloud-computing facility.

Encryption vendor PGP is also preparing to provide a new range of options for cloud-based computing, says PGP president and CEO, Phil Dunkelberger. He argues the public-key encryption model favored by PGP will triumph over any private-key models. A third vendor, McAfee, is also expected to make cloud-security announcements in the next week or so.

Some vendors, though, are having to admit their cloud-computing security efforts are dragging on. VMware and RSA, for instance, at a press conference this week had to acknowledge that the initiative they had announced at RSA in 2009 to integrate the RSA data-loss prevention (DLP) technology into VMware's vSphere product had not progressed as quickly as expected, and it remains uncertain whether a DLP integrated vSphere will be out by year-end.

Read more about wide area network in Network World's Wide Area Network section.