Saturday, 14 March 2009

Just like buses...

No posts for a week and then two in one day...

Thought I'd post some more cloudy musings

i) It's not all new – we've been doing computing on shared resources since forever. I remember working at one of the high street banks who were running their production and development environments on the same MVS mainframe


ii) What is new can be new in subtle and interesting ways, examples:

  • the hypervisor; like it or not the hypervisor is a definite point of failure for security controls
  • network security – you'll find that some of your firewalls and IDS are a little useless when all of the comms take place within a single piece of hardware (caveat, some software firewalls are supported in virtual environments but I'm guessing there are still a few niggles to be ironed out. And you can get IDS that operate inside the hypervisor – simplification - checkout http://www.catbird.com/)
  • the potential hypervisor problems mean that your threats have just increased – you now need to worry about the threats facing all the systems processed within the same virtualised infrastructure – how can you do this if you don't know who's sharing the kit?
  • incident management – what happens when a client has an incident on shared hardware? How do you limit the exposure to co-located services?

iii) private and closed community clouds are good, let's not just dismiss them as an edge case

iv) cloud computing is going to drive Jericho-style deperimeterisation at an increased pace; move the protection closer to the data

v) compliance is still going to be a pig. But then what's new?

vi) Organisations need to be honest with themselves with respect to their current physical and technical security controls before scoping out what they expect from a cloud provider – clouds should not necessarily have to be better than the existing controls, simply acceptable from a cost/risk ratio perspective

vii) oldie but goodie – organisations need to decide what they want to do (with whom and with what data) before deciding that cloud is the answer

viii) It's probably the most interesting security problem out there at the moment from policy and technology perspectives.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)