It's 6 O'Clock -- Do You Know Where Your Cloud's Data Center Is? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
Commentary
6/2/2009
08:52 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

It's 6 O'Clock -- Do You Know Where Your Cloud's Data Center Is?

A comment that I liked on cloud computing came out of Sun's CommunityOne conference June 1 in San Francisco. It was from Tim Mather, a member of a panel on "Securing the Cloud--Why, What and How?" He said: "The trust boundary has moved with cloud computing but no one is clear where to."

A comment that I liked on cloud computing came out of Sun's CommunityOne conference June 1 in San Francisco. It was from Tim Mather, a member of a panel on "Securing the Cloud--Why, What and How?" He said: "The trust boundary has moved with cloud computing but no one is clear where to."Mather is VP and chief security strategist for RSA, the security software division of EMC Corp. The trust boundary he refers to is the ability to trust data because it comes from a known source, is in a validated format and is being stored in a secure setting. If the cloud is providing database processing or data storage for you, who is responsible for the trust boundary? The user, the cloud? Both?

Cloud providers may say, "You can trust us," but Mather warned: "There's a serious lack of transparency (on how security is being provided)." Cloud vendors don't necessarily wish to air their security measures because that makes them easier to breach.

"What vendors are doing needs to be made public," continued Mather. The exact measures don't need to be aired, but the degree of security provided needs to be stated, then audited by a trustworthy third party, who concludes whether the vendor is doing what it claims to be doing.

Before that can happen, standards that define degrees of data security need to be established. A vendor can claim solid practices, but also choose to define security policies in terms that are more flattering to its own practices than warranted, or at least more flattering to itself versus the next vendor.

Getting to step two is a bit hypothetical "when we're not even to the first step (cloud supplier transparency)yet," he concluded.

The National Institute of Standards Technology has a draft of security standards for one party handling another party's data and it should serve as a starting point. It's SP 800-117, the draft Guide to Adopting and Using the Security Content Automation Protocol (SCAP), which was released for public comment on May 9th. SCAP includes "specification for organizing and expressing security-related information in standardized ways."

A PDF of the draft can be downloaded from this NIST site, where there's a link that takes you to public comments.

Those thinking about using the cloud may find delving into security practices an exercise beyond their present level of engagement. But another member of the panel, David Hahn, senior VP and group information security officer of Wells Fargo, reminded the CommunityOne audience that Massachusetts recently passed a law that makes the data originator responsible for its security, regardless of where it's sent to be stored.

"If something goes wrong and you're asked what security measures were in place, it's not a good answer to say, "I don't know where their data center is,'" he warned.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll