In Cloud We Trust…

Throughout 2010, surveys have shown how the lack of trust in cloud computing is slowing the adoption of cloud services. This week at the RSA Conference in San Francisco, California, securing the cloud is on everybody’s mind. Not surprisingly, many are still outlining a piecemeal approach to cloud security using the same recipes that have not worked in the past several decades. However, several credible and powerful voices are emerging from the noise to offer a much more compelling approach to accelerating the adoption of cloud services. The idea is to build a new comprehensive cloud trust model that exploits the unique characteristics of cloud and virtualization. Now, the good news: Leaders in cloud computing are making trust the centerpiece of their strategy and the technology to build this trust model is available now.

In a vision paper entitled “Proof Not Promises: Creating the Trusted Cloud”, industry veterans from EMC, RSA and VMware share their vision for trust in the cloud. The authors have updated Ronald Reagan’s formula for controlling the Soviet Union: “Trust but Verify” into its cloud equivalent: “Trust = Visibility + Control”. The paper provides a convincing and inspiring perspective that wraps several of the concepts we have previously discussed in this blog: the opportunity to use virtualization to provide better security and the irreversible evolution towards information-centric security that is built into the cloud infrastructures. The juxtaposition of these concepts with very concrete technology proof points and the endorsement of the industry thought leaders make the paper a must read for any IT decision maker who wants to rip the cost and agility benefits of cloud computing sooner rather than later.

In a related announcement that makes this vision even more concrete, we (the RSA cloud team) announced the Cloud Trust Authority, a set of cloud services to provide cloud customers control and visibility over cloud providers. In its initial instantiation, the Cloud Trust Authority will provide control of enterprise identities and visibility into cloud providers’ compliance posture. The Cloud Trust Authority Identity Service is a cloud-based identity federation hub that enforces strong authentication and control access to cloud resources. The Cloud Trust Authority Compliance reporting service provides to cloud customers compliance reports for cloud providers based on the Cloud Security Alliance GRC stack. We all believe that this new trust model will drastically simplify the trust relationship between cloud customers and cloud providers by using an intermediary, the Cloud Trust Authority, to handle the most complex technical integration required to provide compliance and to secure identities, information and workloads in the cloud.

What I like the most about the trusted cloud conversation is its tone. It completely changes the role of the IT security department from a whining team that everybody avoids to a critical partner in the definition the enterprise’s cloud strategy. All the sudden, the security team is solving the identity management, information control and compliance problems and are sitting between the IT department and the cloud promise of flexibility, agility and cost reduction.

Forget the surveys, the industry is getting ready for a new cloud computing motto for 2011 and beyond: “In Cloud we Trust”.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize