CTO Blog

CTO Blog

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

A straightforward approach to cloud security

Category :

Every now and then I see a document that really answers a particular question in a way that makes simple straightforward sense. I can’t begin to count how much I have read on cloud security, and how few real answers I have seen. A really great spoof on this that describes exactly how most of us feel is the Novell inspired; ‘Are you trying to pin a tail on a cloud security donkey?’ It does have a serious side in promoting the answer as the A6 Group which promotes the answer as being based around audit, assertion, assessment, and assurance. And no I don’t know why there is only four A’s and not six! It’s all good stuff but it’s complex and difficult to explain, and therefore difficult to bring into mass good practice. So imagine my delight when I encountered the first document that lays it all out clearly in a visual model with an understandable and cohesive approach. Congratulations to the Jericho Forum! The Jericho Forum has been doing solid good quality work on security for some years, more recently they have added the cloud to their work on looking at ‘borderless security’. The basic approach remains to identify elements in any given interaction, the risks associated with each element, and then the way to secure each element to provide a cohesive and comprehensive approach regardless of what is combined into any individual transaction. The Jericho Forum goal for securing clouds has four straight forward elements;

  1. Separate what should or should not be implemented in clouds
  2. Categorise the different ways that clouds can be implemented
  3. Recognise the key characteristics, benefits and risks of each type
  4. Provide a framework for exploring, defining and developing an approach
The way that they have arrived at point 4 is the break through; and they call it the Jericho Cloud Cube Model for selecting Cloud Formations for Secure Collaboration. You can download the paper that defines it here. Consider the simplicity of the approach, and most of all start to use it! But is it really that easy? Well it is if the requirement is recognisable within the type of IT systems of today, i.e. deterministic, and close coupled. So right now I regard this as an extremely helpful document to use as a planning aid to decisions about clouds and security of services running on clouds. So what’s the big ‘but’ about tomorrow? The simple answer is scale and loose coupled orchestration meaning the numbers of ‘services’ and the numbers of combinations that the ‘services’ can be orchestrated within, probably by users themselves, is huge. The challenge is that the ‘Internet of Things’ is arriving day by day through an inversion of Moore’s law. The driving force for adoption has shifted from the original that said the amount of computational power from a chip will double every 18 months to something closer to the cost will half and so will the power consumption. (It’s not quite true but it’s definitely a recognisable change in this direction). The result is an endless number of smart devices from phones to tablets, as well as notebooks, all arriving into the hands of users; almost certainly wireless connected and used as roaming devices. Now figure out what happens when all these devices want to use all the services available from the various available clouds, plus the different types of clouds, and the answer is …..? So once again the challenge re asserts itself; the use of, and role of technology in the enterprise is going to become far larger and very different to that of the deterministic numbers of users, devices and applications of today. Now that does make the case for a security framework such as Jericho Cloud Cube to be enriched far beyond the first version, but it equally makes the case to get to understand and apply the version of today before the extent of the problem really makes itself apparent. Whilst on the topic of good straightforward moves, the Cloud Security Alliance deserves a mention for its recently announced introduction of a certification scheme to ensure holders have gained an ‘awareness’ of the risks that cloud-based services can introduce. Called the Cloud Certificate of Security Knowledge, CCSK, its launch got endorsements from some good names so it looks to qualify as a ‘straightforward approach’ to cloud security as well!

About the author

Andy Mulholland
Andy Mulholland
Capgemini Global Chief Technology Officer until his retirement in 2012, Andy was a member of the Capgemini Group management board and advised on all aspects of technology-driven market changes, together with being a member of the Policy Board for the British Computer Society. Andy is the author of many white papers, and the co-author three books that have charted the current changes in technology and its use by business starting in 2006 with ‘Mashup Corporations’ detailing how enterprises could make use of Web 2.0 to develop new go to market propositions. This was followed in May 2008 by Mesh Collaboration focussing on the impact of Web 2.0 on the enterprise front office and its working techniques, then in 2010 “Enterprise Cloud Computing: A Strategy Guide for Business and Technology leaders” co-authored with well-known academic Peter Fingar and one of the leading authorities on business process, John Pyke. The book describes the wider business implications of Cloud Computing with the promise of on-demand business innovation. It looks at how businesses trade differently on the web using mash-ups but also the challenges in managing more frequent change through social tools, and what happens when cloud comes into play in fully fledged operations. Andy was voted one of the top 25 most influential CTOs in the world in 2009 by InfoWorld and is grateful to readers of Computing Weekly who voted the Capgemini CTOblog the best Blog for Business Managers and CIOs each year for the last three years.

Leave a comment

Your email address will not be published. Required fields are marked *.