CTO Blog

CTO Blog

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

RSA Conference redefines security for clouds; US and EU redefine security for data centres!

Category :

At the beginning of the week I had made a note to examine the latest views on security presented at the annual RSA Conference 2011. I noticed that the Cloud Security Alliance Summit who were present at the RSA Conference running their own stream had the US government’s CIO Vivek Kundra talking about moving government data into ‘the cloud’. It certainly sounded as though he was confident on the data security front, and his presentation was compelling from the perspective of numbers and savings to be made. The desire to close 800 government data centres (roughly half the total) by 2015 to bite into the $80 billion operating costs of today is a target and argument that makes sense.

Does that mean the security worries, not just of data centres but of the whole user’s browser-based decentralised security model, are solved? Well the Cloud Security Alliance guys were as you might expect very positive, but the work at the mainstream RSA event looked more like a real in-depth solution was on its way. The one big thread that seemed to be running through the big technologists’ presentations was a consistent focus on ‘endpoint’ security.

Bill Veghte, HP’s Executive VP of Software and Solutions provided a good definition of the what and why of this shift in thinking by pointing out that there is a shift from enterprise IT to consumer IT redefining the fabric of the environment as different devices, smartphones, iPads etc, often owned by the employees are being used at different locations and times to perform enterprise work. “The reality is that the way apps and services and business processes will be delivered is changing in a big way. We have to address the reality that the user is more empowered than ever before”. There was surprisingly little coverage of this presentation, not helped by a single paragraph on the HP press site, which seemed to suggest that this was a routine effort, but at least a couple of reporters did catch it.

Scott Charney Microsoft Corporate VP for Trustworthy Computing added more detail to his whitepaper from last year in which active measures to quarantine devices that are considered by the ‘internet/web’ global community as a whole to be dangerous would restrict higher level functionality whilst maintaining basic functionally to ‘deal with the problem device/user’. Scott chose to use the metaphor of smoking and public health to make his point; “Collective defence is better than individual defence, but we need to be applying public health models to the Internet. …Smoking used to be considered a personal decision based on the individual’s attitude to the risk. Once the dangers of second hand smoke were understood, public health rules applied because common good was threatened. The same is true for the Internet”. A summary of the full presentation is available on the Microsoft press site.

Ambika Gadre Senior Director of Cisco Security Business Unit summed it up neatly with the comment; “We need to rethink the entire Security Architecture, the endpoint is fracturing into a million directions”. You can see his personal video chat on YouTube on how Cisco is addressing this.

So what is the link to the US government CIO feeling confident enough to move entire data centres to the cloud? Just that! He is talking about the recognisable enterprise IT model of centralisation which is still defendable in recognisable ways around guarding access from the defined users almost certainly working from traditional offices on government owned and managed machines. Move one data centre from government ownership to another site where it is operated by an efficient hosting operator and the issues are definable.

In fact they are so definable that the European Union Agency ENISA, European Network and Information Security Agency, back at the end of 2009 published a downloadable report that over 125 pages clearly identified all of the issues that were risks in a move of the kind that the US government’s CIO is making and its summary was;

The key conclusion of this paper is that the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost effective.

What is really at stake here is the cold hard definition of shared service centres running enterprise IT applications where the risk is centred on location change rather than change of use.(Though one can add an emotive risk around loss of local control.) It’s popular to call this ‘cloud’ but in fact it is a continuation of the current evolution of data centre optimisation around heavy virtualisation. A genuine cloud is based on browser/cloud technologies to provide user driven consumption (and creation) of ‘services’ from a variety of devices and locations.

That’s a very different security challenge and what is clear from the presentations at the RSA Conference is that the industry agrees on the core of the approach that it is taking to resolve it. From an operational point of view today the trick is to recognise the difference and keep the two environments apart!

About the author

Andy Mulholland
Andy Mulholland
Capgemini Global Chief Technology Officer until his retirement in 2012, Andy was a member of the Capgemini Group management board and advised on all aspects of technology-driven market changes, together with being a member of the Policy Board for the British Computer Society. Andy is the author of many white papers, and the co-author three books that have charted the current changes in technology and its use by business starting in 2006 with ‘Mashup Corporations’ detailing how enterprises could make use of Web 2.0 to develop new go to market propositions. This was followed in May 2008 by Mesh Collaboration focussing on the impact of Web 2.0 on the enterprise front office and its working techniques, then in 2010 “Enterprise Cloud Computing: A Strategy Guide for Business and Technology leaders” co-authored with well-known academic Peter Fingar and one of the leading authorities on business process, John Pyke. The book describes the wider business implications of Cloud Computing with the promise of on-demand business innovation. It looks at how businesses trade differently on the web using mash-ups but also the challenges in managing more frequent change through social tools, and what happens when cloud comes into play in fully fledged operations. Andy was voted one of the top 25 most influential CTOs in the world in 2009 by InfoWorld and is grateful to readers of Computing Weekly who voted the Capgemini CTOblog the best Blog for Business Managers and CIOs each year for the last three years.

Leave a comment

Your email address will not be published. Required fields are marked *.