Every now and then I see a document that really answers a particular question in a way that makes simple straightforward sense. I can’t begin to count how much I have read on cloud security, and how few real answers I have seen. A really great spoof on this that describes exactly how most of us feel is the Novell inspired; ‘Are you trying to pin a tail on a cloud security donkey?’ It does have a serious side in promoting the answer as the A6 Group which promotes the answer as being based around audit, assertion, assessment, and assurance. And no I don’t know why there is only four A’s and not six!
It’s all good stuff but it’s complex and difficult to explain, and therefore difficult to bring into mass good practice. So imagine my delight when I encountered the first document that lays it all out clearly in a visual model with an understandable and cohesive approach. Congratulations to the Jericho Forum!
The Jericho Forum has been doing solid good quality work on security for some years, more recently they have added the cloud to their work on looking at ‘borderless security’. The basic approach remains to identify elements in any given interaction, the risks associated with each element, and then the way to secure each element to provide a cohesive and comprehensive approach regardless of what is combined into any individual transaction. The Jericho Forum goal for securing clouds has four straight forward elements;
- Separate what should or should not be implemented in clouds
- Categorise the different ways that clouds can be implemented
- Recognise the key characteristics, benefits and risks of each type
- Provide a framework for exploring, defining and developing an approach
The way that they have arrived at point 4 is the break through; and they call it the Jericho Cloud Cube Model for selecting Cloud Formations for Secure Collaboration. You can download the paper that defines it here. Consider the simplicity of the approach, and most of all start to use it! But is it really that easy? Well it is if the requirement is recognisable within the type of IT systems of today, i.e. deterministic, and close coupled. So right now I regard this as an extremely helpful document to use as a planning aid to decisions about clouds and security of services running on clouds.
So what’s the big ‘but’ about tomorrow? The simple answer is scale and loose coupled orchestration meaning the numbers of ‘services’ and the numbers of combinations that the ‘services’ can be orchestrated within, probably by users themselves, is huge. The challenge is that the ‘Internet of Things’ is arriving day by day through an inversion of Moore’s law. The driving force for adoption has shifted from the original that said the amount of computational power from a chip will double every 18 months to something closer to the cost will half and so will the power consumption. (It’s not quite true but it’s definitely a recognisable change in this direction).
The result is an endless number of smart devices from phones to tablets, as well as notebooks, all arriving into the hands of users; almost certainly wireless connected and used as roaming devices. Now figure out what happens when all these devices want to use all the services available from the various available clouds, plus the different types of clouds, and the answer is …..?
So once again the challenge re asserts itself; the use of, and role of technology in the enterprise is going to become far larger and very different to that of the deterministic numbers of users, devices and applications of today. Now that does make the case for a security framework such as Jericho Cloud Cube to be enriched far beyond the first version, but it equally makes the case to get to understand and apply the version of today before the extent of the problem really makes itself apparent.
Whilst on the topic of good straightforward moves, the Cloud Security Alliance deserves a mention for its recently announced introduction of a certification scheme to ensure holders have gained an ‘awareness’ of the risks that cloud-based services can introduce. Called the Cloud Certificate of Security Knowledge, CCSK, its launch got endorsements from some good names so it looks to qualify as a ‘straightforward approach’ to cloud security as well!