Next up at the Cloud Computing and Virtualization Security half-day seminar was a Cloud Computing Panel moderated by Rich Mogull (Analyst/CEO at Securosis) with Josh Zachary (Rackspace), Jim Rymarczk (IBM), and Phil Agcaoili (Dell) participating in the panel.  My notes from the panel discussion are below:

Phil: Little difference between outsources of the past and today’s Cloud Computing.  All of that stuff is sitting outside of your environment and we’ve been evolving toward that for a long time.

Rich: My impression is that there are benefits to outsourced hosting, but there are clearly areas that make sense and areas that don’t.  This is fundamentally different from shared computing resources.  Very different applications for this.  Complexity goes up very quickly very quickly for security controls.  Where do you see the most value today?  Where do people need to be most cautious?

Jim: Internal virtualization is almost necessary, but it impacts almost every IT process.  Technology is still evolving and is far from advanced state.  Be pragmatic and find particular applications with a good ROI.

Josh: Understand what you are putting into a cloud environment.  Have a good understanding of what a provider can offer you in terms of sensitive data.  Otherwise you’re putting yourself in a very bad situation.  A lot of promise.  Great for social networking and web development.  Not appropriate with enterprises with large amounts of IP and sensitive data.

Jim: We’ll get there in 4-5 years.

Phil: Let supply chain experts do it for you and then interact with them.  Access their enviornment from anywhere.  Use a secure URL with a federated identity.  Your business will come back to you and say “We need to do this” and IT will be unable to assist them.  Use it as an opportunity to mobilize compliance and InfoSec and get involved.  It’s going to come to use and we’re just going to have to deal with it.  There’s a long line of people with a “right to audit”.  Don’t think that someone is doing the right thing in this space, you have to ask.

Audience: What is the most likely channel for standards?

Phil: Cloud Security Alliance is a step in the right direction.  Want to come up with PCI DSS like checklists.  CSA is working with IEEE and NIST to work along with them.  Goal is to be able to feed the standards process, not become a standards body.

Rich: The market is anti-standards based.  If we get standardized, then all of the providers are only competing based on cost.

Jim: I think it’ll happen.  We will see ISO groups for standards on cloud quality.

Audience: Moving data between multiple clouds.  How do you determine who gets paid?

Jim: There are proposals for doing that.  All of the resource parameters.

Phil: Should see standards based on federated identity.  Who is doing what and where.  That’s where I’ve seen the most movement.  There is no ISO for SaaS.  Remapping how 27001 and 27002 apply to us as a software provider.

Audience: Two things that drive standards.  The market or monopoly (BetaMax).

Rich: We will have monopolistic ones and then 3rd parties that say they use those standards.

Audience: How can you really have an objective body create standards without being completely embedded in the technology?

Jim: You create a reference standard and the market drives that.

Phil: Gravity pulls us to things that work.  Uses SAML as an example.  It’s the way the internet has always worked.  The strongest will survive and the right standards will manifest themselves.

Rich: What are some of things that you’re dealing with internally (as consumers and providers) and the top suggestions for people stuck in this situation?

Jim: People who don’t have all of the  requirements do public clouds.  If what you want is available (, it may be irresistible.

Josh: Solution needs to be appropriate to the need.  Consult with your attorney to make sure you contract is in line with what you’re leveraging the provider for.  It’s really about what you agree to with that provider and their responsibilities.

Phil: The hurricane is coming.  You can’t scream into the wind, you gotta learn to run for cover.  Find the safe spot.

Audience: What industries do you see using this?  I don’t see it with healthcare.

Phil: Mostly providers for us.  Outsourcing service desks.  Government.  Large states/local.

Josh: Small and medium retail businesses.  Get products out there at a significantly reduced cost.

Jim: Lots of financial institutions looking for ways to cut costs.  Healthcare industry as well (Mayo Clinic).  Broad interest across the whole market, but especially anywhere they’re under extreme cost measures.

Rich: I run a small business that picked an elastic provider that couldn’t pay for a full virtual hosting provider.  Doing shared hosting right now, but capable of growing to a virtual private server.  Have redundancy.  Able to go full-colocation if they need it.  Able to support growth, but start with the same instance to get there.

Audience: How does 3rd party transparency factor into financial uses?

Jim: Almost exclusively private clouds.  There are use cases playing out right now that will be repeatable patterns.  Use cases.

Phil: When the volume isn’t there, offload to someone like Rackspace and they’ll help you to grow.

Audience: Are there guidelines to contracts to make sure information doesn’t just get outsourced to yet another party?

Phil: Your largest partners/vendors steal their contracts.  Use them as templates.

Audience: What recourse do you have that an audit is used to verify that security is not an issue?

Rich: Contracts.

Phil: Third party assessment (ie. the right to audit).  It’s in our interest to verify they are secure.  It’s a trend and we now have a long list of people looking to audit against us as a provider.  Hoping for an ISO to come up truly for the cloud.

Audience: Is cloud computing just outsourcing?

Rich: It’s more than that.  For example, companies have internal clouds that aren’t outsourced at all.

Josh: Most of the time it’s leveraging resources more efficiently at hopefully a reduced cost.

Audience: How do I know you’re telling me the truth about the resources I’m using?  What if I’m a bad guy who wants to exploit a competitor using the cloud?

Josh: We’ve seen guys create botnets using stolen credit cards.  What you’re billed for is in your contract.

Jim: We’ve had this solved for decades on mainframes.  Precious resources propagated amongst users.  There’s no technical reason we’re not doing it today.

Rich: It depends what type of cloud you’re using.  Some will tell you.

Josh: If you’re worried about someone abusing you, why are you there in the first place?

Phil: For our service desk we meter this by how many calls, by location.  Monitor servers that were accessed/patched/etc.  Different service providers will have different levels.

Audience: Seeing some core issues at the heart of this.  For businesses, an assessment of core competencies.  Can you build a better data center with the cloud?  Second issue involves risk assessment.  Can you do a technical audit?  Can you pay for it legally?  How much market presence does the vendor have?  Who has responsibility for what?  Notion of transparency of control.  Seems like it distills down to those core basics.

Jim: I agree.

Rich: Well said.

Phil: Yes, yes, yes.

Audience: How do you write a contract for failed nation states, volatility, etc?  Do we say you can’t put our stuff in these countries?

Phil: This is the white elephant in the room.  How can you ensure that my data is being protected the way I’d protect it myself.  It’s amazing what other people do when they get a hold of that stuff.  This is the underlying problem that we have to solve.  “Moving from a single-family home to a multi-tenant condo.  How do we build that now?

Rich: You need to be comfortable with what you’re putting out there.

Audience: To what extent is the military or federal government using cloud computing?

Jim: They’re interested in finding ways, but they don’t talk about how they’re using it.

Audience – Vern: They’re doing cloud computing using an internal private cloud already.  They bill back to the appropriate agency based on use.

Phil: Government is very wary of what’s going on.