Friday, May 21, 2010
What’s keeping them from the Cloud…
Posted by:
Brian Pereira
There seems to be no shortage of Cloud Computing summits and press conferences these days. And when I attend these I can’t help but notice that there are different definitions of the cloud unleashed at each forum. However, questions about cloud computing remain more or less the same. At one such forum a former Sr. VP-IT from a leading retail bank raised his hand and asked about the kind of cloud security standards available today. And since I happened to be moderating that forum, he later approached me and poured his heart out on how the regulators impose some really stringent rules about security, which kept him away from the cloud.
At another forum, a CIO raised his hand and asked a cloud service provider if he would reveal the names of other customers who shared space with him on that cloud in a multi-tenancy environment. The answer was NO. I asked myself: do I have the right to know my neighbor or is that classified information too?
I often ponder about certain cloud security issues myself. For instance, in the absence of firewalls in the cloud, how does a service provider segregate data sets from different customers, especially when all these reside on common infrastructure and flow through the same pipes? What kind of validation procedures and background checks does a service provider impose on potential customers and on staff who manage the cloud infrastructure? Why aren’t companies feeling confident about security in multi-tenancy environments?
After a chat with C Kajwadkar, the erstwhile VP-IT of NSE.IT (who is now with Netmagic Solutions) a clearer picture emerged.
Since he once served the Finance sector Kajwadkar would know more or less what regulators have to say about technical issues like cloud computing. Not surprisingly, the answer isn’t very encouraging. Regulators are policy makers, not technical specialists. They listen to technologists, invite comments, analyze these, then make standards and enforce these. So it’s really up to folks like ISACA (Information Systems Audit and Control Association) and CSA (Cloud Security Alliance) to define cloud security standards and make presentations to our regulators.
It’s work in progress, but I’m happy to note that the aforementioned bodies have made a start. Be sure to read the whitepaper on the 13 domains defined by the Cloud Security Alliance at the end of 2009. The Indian chapter of ISACA will also be able to tell you more.