From my point of view the IT industry is not working hard enough to separate infrastructure and data from each other. I'm aware that most of the big IT shops are working on data centric approaches but being today an enterprise customer it is incredible hard to find a way to easily separate both from each other. We have seen already to many Audit observations around data bases and the separation of duties, right?
Without this ability it is extremely hard to move into real cloud services as described by Chenxi and I can't agree more with that what she wrote.
So, I read through this and it contributes very little to the conversation of how to address the concerns. It's simply a restatement of what is already known by a lowly system admin who works in an company with a compliance requirement.
Why isn't there a discussion on how to break apart your topology into security regions? DMZ? What kinds of buyers should consider the cloud and what kinds shouldn't?
Sorry, it's just a lot of people talk about the cloud but little suggest practical uses. I'm a little fed up.
I'm curious about the role of technical standards and practices for cloud services. What do we have and what more is needed to achieve a level of security and internal control suitable to cloud providers and users? How would we like to see things like WS*, KMIP, IdM, all the ISO, CERT/REF, COSO, etc pieced together/deployed to make the cloud a safe haven for pay-as-you-go and other applications?
I read your concerns regarding the security in the cloud. My conclusion is that it is not black and white. Just because something is in the cloud does not make it unsecured. I have a detailed blog post "Debunking The Cloud Security Issues" outlining my views.
Forrester: A Close Look At Cloud Computing Security Issues
Chenxi Wang examines security, compliance and contractual issues in cloud computing.
» View Article
From my point of view the IT industry is not working hard enough to separate infrastructure and data from each other. I'm aware that most of the big IT shops are working on data centric approaches but being today an enterprise customer it is incredible hard to find a way to easily separate both from each other. We have seen already to many Audit observations around data bases and the separation of duties, right?
Without this ability it is extremely hard to move into real cloud services as described by Chenxi and I can't agree more with that what she wrote.
-Andreas
http://ITRiskSpace.com
So, I read through this and it contributes very little to the conversation of how to address the concerns. It's simply a restatement of what is already known by a lowly system admin who works in an company with a compliance requirement.
Why isn't there a discussion on how to break apart your topology into security regions? DMZ? What kinds of buyers should consider the cloud and what kinds shouldn't?
Sorry, it's just a lot of people talk about the cloud but little suggest practical uses. I'm a little fed up.
Forrester touched on this topic in webinar on "Internal Clouds: Bringing Cloud Computing In-House" - http://www.datasynapse.com/internalcloud
This analyst lacks industry experience and tends to summarize well-known issues.
HoneyNet project [ http://www.honeynet.org ] should be useful as a beginning on cloud security.
I'm curious about the role of technical standards and practices for cloud services. What do we have and what more is needed to achieve a level of security and internal control suitable to cloud providers and users? How would we like to see things like WS*, KMIP, IdM, all the ISO, CERT/REF, COSO, etc pieced together/deployed to make the cloud a safe haven for pay-as-you-go and other applications?
I read your concerns regarding the security in the cloud. My conclusion is that it is not black and white. Just because something is in the cloud does not make it unsecured. I have a detailed blog post "Debunking The Cloud Security Issues" outlining my views.
http://cloudcomputing.blogspot.com/2009/07/debunking-cloud-security-issues.html
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK