Thursday, September 30, 2010

GHC10: Cloudy with a Chance of Security, Another perspective

I was excited to see one of the women I had breakfast with, Gerlinde Zibulski (SAP, AG), on the panel, as we were already having fascinating discussions on security and data privacy this morning.  Other panelists include Kore Koubourlis (Microsoft), Linda Berardi (StraTerra Partners, LLC), and Alyssa Henry (Amazon Simple Storage Service).

This panel starts out with a great explanation of cloud computing: you pay for what you use, not for provisioning the system. Great for smaller companies that want to be able to change platforms or other directions quickly.  Customers can focus on doing work, not trying to piece together a system from scratch.

When it comes to security and privacy, you need to think about things like how long can I store this data? How securely does this data need to be stored? What countries can this data be stored in?  Compliance obligations can make this that much more complicated.

By storing your data in the cloud, you can leverage resources of the cloud, like disaster recovery set up, backups, penetration testing, etc. While individual organizations may say they'd like to do these types of things, and they might even have plans to do so, cloud providers have to have this all set up before they even put the cloud online. This is what you're buying from them, it's part of the service.

A funny thing is, while people are often afraid of putting things in the cloud, they actually discover that they have a much better idea of what is happening in the cloud with all the logging than they do for their internal network. There is a big problem with these internal unknown server, with the lack of logs and analysis: you might be paying people to maintain servers and applications that are over provisioned or just not used! True, you could add this type of auditing to your internal servers and applications, but will you?

Because cloud computing was so criticized a few years ago due to inadequate security, you'll often find the security on these servers is much better than anything you would provision yourself. Cloud providers know now that they are being constantly scrutinized, so they have to be secure. The panelist put forth the supposition that they are more secure than anyone's internal servers, but that does kind of miss the point that at least internal servers are... internal :-)

Overall an interesting talk, though I would've like to hear more about how they secured their clouds (where instead there was a lot of why), but it's great seeing so many women that work in security in just one morning!