Home » Inside SafeNet » The Cloud Advocate: 2011 Cloud Expo NY Day Three and Four
The Cloud Advocate: 2011 Cloud Expo NY Day Three and Four
June 10, 2011, 08:12 am EDT
The 2011 Cloud Computing Expo in New York just wrapped up, fittingly with a deluge and lighting storm that just unleashed over New York, almost to the hour of the close of the show, as if the cloud were trying to declare its primacy over the week. A couple themes have popped up which will prove to be fodder for future topics. Let me throw some of the ones that popped up these last two days:
Self-Service, Skynet, and Cylons
I was quite astonished at the universal call to organizations to change the way they run applications and opps. As a marketing guy, I don’t typically see a universally agreed upon message from vendors, but in this case there was one from the cloud management platform vendors. I’ll give credit to Abiquo’s Pete Malcom for articulating it most clearly, but also echoed by Dave Roberts from ServiceMesh. The essential argument is this: you’re apps group have had to go to IT for 30 years with the same process for infrastructure. That process has been winnowed from 4 month to 1 week provisioning time (that’s now even with virtualization). With that same organization infrastructure, with IT executing on infrastructure changes for apps groups, organizations will never scale or enjoy the cost saving of moving to the cloud. Only a self-service model can solve this, enabled by cloud management platforms. So provisioning drops to 10 minutes and can be executed by the individual apps groups and lines of business- and heck even automated against set business policy and triggers.
This all makes sense to me, but I’ve worked with enough security organizations to know that it has serious implications on organizations’ ability to spot and mitigate structural security problems with the cloud. The security organizations I talk to aren’t quite socially and behaviorally structured to do this. If we as a security profession don’t change in response to this model we are going to be just like the Battelstar Gallactica diaspora who found themselves looking down the barrel of the laser gun of their cylon overlords. This is an entire topic I’ll have to cover in more depth when I get back from the show.
One of the Few Times I Want Us to Talk to Lawyers
Typically I’m not fond of lawyers, for obvious reasons. But after working with the cloud and seeing the pain out there, I think the industry in general is in need of some good legal counsel and education about liability and cloud contracts. So we had a very interactive session with Richard Santalesa of the Information Law Group (who also did the entire session without slides because his laptop died!). I almost always cover liability and contracts when I’m speaking to information security professionals about the cloud, and it was great to hear from a real lawyer talk more in depth about these topics. The essence comes down to who owns data and is liable for damages if data is breached. I’ve covered this elsewhere in this blog, but essentially almost every cloud contract leaves you absolutely responsible and many people never know it. Unless you’ve hired Richard and the guys over at his group, who are on the cutting contractual edge of eeking out a better shared responsibility model. Apparently he has negotiated one or two contracts where the cloud provider signed up for some liability within set monetary limits. I don’t expect this to be common, but I really think we need to start setting this as the norm in the industry. I’m going to see if I can bring this guy back and drive a further dialogue to the community on this subject. But it was fascinating, and if you aren’t already doing it now, ready your cloud contract and start researching liability and ownership in the cloud.
OpenStack Comes Out
Lastly, since I’m about to be kicked out of a coffee shop in NY by a nice but firm barista; RackSpace went all-out in promoting OpenStack. Normally I would just but this up to vendor hyperbole, even if it is open source, except that OpenStack has come up several times in conversations and after this show I expect to see if more. -DeanThis entry was posted in Cloud Security and tagged Cloud Contracts, Cloud Ownership, Cloud Security Process by Dean Ocampo. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC