Next up at the Cloud Computing and Virtualization Security half-day seminar was a Cloud Computing Panel moderated by Rich Mogull (Analyst\/CEO at Securosis) with Josh Zachary (Rackspace), Jim Rymarczk (IBM), and Phil Agcaoili (Dell) participating in the panel.\u00a0 My notes from the panel discussion are below:<\/p>\n
Phil: Little difference between outsources of the past and today’s Cloud Computing.\u00a0 All of that stuff is sitting outside of your environment and we’ve been evolving toward that for a long time.<\/p>\n
Rich: My impression is that there are benefits to outsourced hosting, but there are clearly areas that make sense and areas that don’t.\u00a0 This is fundamentally different from shared computing resources.\u00a0 Very different applications for this.\u00a0 Complexity goes up very quickly very quickly for security controls.\u00a0 Where do you see the most value today?\u00a0 Where do people need to be most cautious?<\/p>\n
Jim: Internal virtualization is almost necessary, but it impacts almost every IT process.\u00a0 Technology is still evolving and is far from advanced state.\u00a0 Be pragmatic and find particular applications with a good ROI.<\/p>\n
Josh: Understand what you are putting into a cloud environment.\u00a0 Have a good understanding of what a provider can offer you in terms of sensitive data.\u00a0 Otherwise you’re putting yourself in a very bad situation.\u00a0 A lot of promise.\u00a0 Great for social networking and web development.\u00a0 Not appropriate with enterprises with large amounts of IP and sensitive data.<\/p>\n
Jim: We’ll get there in 4-5 years.<\/p>\n
Phil: Let supply chain experts do it for you and then interact with them.\u00a0 Access their enviornment from anywhere.\u00a0 Use a secure URL with a federated identity.\u00a0 Your business will come back to you and say “We need to do this” and IT will be unable to assist them.\u00a0 Use it as an opportunity to mobilize compliance and InfoSec and get involved.\u00a0 It’s going to come to use and we’re just going to have to deal with it.\u00a0 There’s a long line of people with a “right to audit”.\u00a0 Don’t think that someone is doing the right thing in this space, you have to ask.<\/p>\n
Audience: What is the most likely channel for standards?<\/p>\n
Phil: Cloud Security Alliance is a step in the right direction.\u00a0 Want to come up with PCI DSS like checklists.\u00a0 CSA is working with IEEE and NIST to work along with them.\u00a0 Goal is to be able to feed the standards process, not become a standards body.<\/p>\n
Rich: The market is anti-standards based.\u00a0 If we get standardized, then all of the providers are only competing based on cost.<\/p>\n
Jim: I think it’ll happen.\u00a0 We will see ISO groups for standards on cloud quality.<\/p>\n
Audience: Moving data between multiple clouds.\u00a0 How do you determine who gets paid?<\/p>\n
Jim: There are proposals for doing that.\u00a0 All of the resource parameters.<\/p>\n
Phil: Should see standards based on federated identity.\u00a0 Who is doing what and where.\u00a0 That’s where I’ve seen the most movement.\u00a0 There is no ISO for SaaS.\u00a0 Remapping how 27001 and 27002 apply to us as a software provider.<\/p>\n
Audience: Two things that drive standards.\u00a0 The market or monopoly (BetaMax).<\/p>\n
Rich: We will have monopolistic ones and then 3rd parties that say they use those standards.<\/p>\n
Audience: How can you really have an objective body create standards without being completely embedded in the technology?<\/p>\n
Jim: You create a reference standard and the market drives that.<\/p>\n
Phil: Gravity pulls us to things that work.\u00a0 Uses SAML as an example.\u00a0 It’s the way the internet has always worked.\u00a0 The strongest will survive and the right standards will manifest themselves.<\/p>\n
Rich: What are some of things that you’re dealing with internally (as consumers and providers) and the top suggestions for people stuck in this situation?<\/p>\n
Jim: People who don’t have all of the\u00a0 requirements do public clouds.\u00a0 If what you want is available (salesforce.com), it may be irresistible.<\/p>\n
Josh: Solution needs to be appropriate to the need.\u00a0 Consult with your attorney to make sure you contract is in line with what you’re leveraging the provider for.\u00a0 It’s really about what you agree to with that provider and their responsibilities.<\/p>\n
Phil: The hurricane is coming.\u00a0 You can’t scream into the wind, you gotta learn to run for cover.\u00a0 Find the safe spot.<\/p>\n
Audience: What industries do you see using this?\u00a0 I don’t see it with healthcare.<\/p>\n
Phil: Mostly providers for us.\u00a0 Outsourcing service desks.\u00a0 Government.\u00a0 Large states\/local.<\/p>\n
Josh: Small and medium retail businesses.\u00a0 Get products out there at a significantly reduced cost.<\/p>\n
Jim: Lots of financial institutions looking for ways to cut costs.\u00a0 Healthcare industry as well (Mayo Clinic).\u00a0 Broad interest across the whole market, but especially anywhere they’re under extreme cost measures.<\/p>\n
Rich: I run a small business that picked an elastic provider that couldn’t pay for a full virtual hosting provider.\u00a0 Doing shared hosting right now, but capable of growing to a virtual private server.\u00a0 Have redundancy.\u00a0 Able to go full-colocation if they need it.\u00a0 Able to support growth, but start with the same instance to get there.<\/p>\n
Audience: How does 3rd party transparency factor into financial uses?<\/p>\n
Jim: Almost exclusively private clouds.\u00a0 There are use cases playing out right now that will be repeatable patterns.\u00a0 Use cases.<\/p>\n
Phil: When the volume isn’t there, offload to someone like Rackspace and they’ll help you to grow.<\/p>\n
Audience: Are there guidelines to contracts to make sure information doesn’t just get outsourced to yet another party?<\/p>\n
Phil: Your largest partners\/vendors steal their contracts.\u00a0 Use them as templates.<\/p>\n
Audience: What recourse do you have that an audit is used to verify that security is not an issue?<\/p>\n
Rich: Contracts.<\/p>\n
Phil: Third party assessment (ie. the right to audit).\u00a0 It’s in our interest to verify they are secure.\u00a0 It’s a trend and we now have a long list of people looking to audit against us as a provider.\u00a0 Hoping for an ISO to come up truly for the cloud.<\/p>\n
Audience: Is cloud computing just outsourcing?<\/p>\n
Rich: It’s more than that.\u00a0 For example, companies have internal clouds that aren’t outsourced at all.<\/p>\n
Josh: Most of the time it’s leveraging resources more efficiently at hopefully a reduced cost.<\/p>\n
Audience: How do I know you’re telling me the truth about the resources I’m using?\u00a0 What if I’m a bad guy who wants to exploit a competitor using the cloud?<\/p>\n
Josh: We’ve seen guys create botnets using stolen credit cards.\u00a0 What you’re billed for is in your contract.<\/p>\n
Jim: We’ve had this solved for decades on mainframes.\u00a0 Precious resources propagated amongst users.\u00a0 There’s no technical reason we’re not doing it today.<\/p>\n
Rich: It depends what type of cloud you’re using.\u00a0 Some will tell you.<\/p>\n
Josh: If you’re worried about someone abusing you, why are you there in the first place?<\/p>\n
Phil: For our service desk we meter this by how many calls, by location.\u00a0 Monitor servers that were accessed\/patched\/etc.\u00a0 Different service providers will have different levels.<\/p>\n
Audience: Seeing some core issues at the heart of this.\u00a0 For businesses, an assessment of core competencies.\u00a0 Can you build a better data center with the cloud?\u00a0 Second issue involves risk assessment.\u00a0 Can you do a technical audit?\u00a0 Can you pay for it legally?\u00a0 How much market presence does the vendor have?\u00a0 Who has responsibility for what?\u00a0 Notion of transparency of control.\u00a0 Seems like it distills down to those core basics.<\/p>\n
Jim: I agree.<\/p>\n
Rich: Well said.<\/p>\n
Phil: Yes, yes, yes.<\/p>\n
Audience: How do you write a contract for failed nation states, volatility, etc?\u00a0 Do we say you can’t put our stuff in these countries?<\/p>\n
Phil: This is the white elephant in the room.\u00a0 How can you ensure that my data is being protected the way I’d protect it myself.\u00a0 It’s amazing what other people do when they get a hold of that stuff.\u00a0 This is the underlying problem that we have to solve.\u00a0 “Moving from a single-family home to a multi-tenant condo.\u00a0 How do we build that now?<\/p>\n
Rich: You need to be comfortable with what you’re putting out there.<\/p>\n
Audience: To what extent is the military or federal government using cloud computing?<\/p>\n
Jim: They’re interested in finding ways, but they don’t talk about how they’re using it.<\/p>\n
Audience – Vern: They’re doing cloud computing using an internal private cloud already.\u00a0 They bill back to the appropriate agency based on use.<\/p>\n
Phil: Government is very wary of what’s going on.<\/p>\n","protected":false},"excerpt":{"rendered":"
Next up at the Cloud Computing and Virtualization Security half-day seminar was a Cloud Computing Panel moderated by Rich Mogull (Analyst\/CEO at Securosis) with Josh Zachary (Rackspace), Jim Rymarczk (IBM), and Phil Agcaoili (Dell) participating in the panel.\u00a0 My notes from the panel discussion are below: Phil: Little difference between outsources of the past and […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[82,271],"tags":[39,268,294,179,301,299,298,293,295,297,302,296,300],"class_list":["post-268","post","type-post","status-publish","format-standard","hentry","category-cloud-computing","category-cloud-computing-security","tag-cloud","tag-computing","tag-dell","tag-ibm","tag-jim","tag-josh","tag-mogull","tag-panel","tag-rackspace","tag-rich","tag-rymarczk","tag-securosis","tag-zachary"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4k","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=268"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/268\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/268\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}