Compliance in the Cloud?

A few weeks ago, I was part of a panel at the RSA Security Conference called “Cloudy with a Chance of Litigation.”  This panel of lawyers and security practitioners tried to anticipate the kinds of legal issues that would arise in litigation, from liability of providers for security compromise to the dicey issues of e-discovery of something amorphous as a cloud.  There was a general sense of trepidation about cyber security in the cloud that permeated this and other sessions.  While most admitted that the technology of today’s clouds isn’t much different than time-share style computing mainframes have offered for 40 years, many have highlighted some possible pitfalls in moving quickly into technologies that require little upfront planning or expense and therefore often miss the radars of both cyber security professionals and legal counsel.  Moreover, seemingly innocuous uses of cloud computing can quickly evolve into “bet the business” style operations when the initial pilots seem to work without a hitch.

But amidst all the confusion, hype, and understandable worry, we may find a bit of a silver lining.  And that is a somewhat standardized platform that security service providers and software developers can target.  Because one of the biggest problems for security professionals is often defining and maintaining secure configurations in a heterogeneous environment, the cloud, by necessity, offers some solutions.  While cloud providers do offer some flexibility in their software-as-a-service, platform-as-a-service, and infrastructure-as-a-service capabilities, service providers need to offer consistency and manageability in their packages to make money and stay competitive.  And so while storage, processors, and memory can vary, certain virtualization technologies and management tools may be the same across all customers.  That makes it easier for security service provider solutions like McAfee’s Cloud Secure Program to be effective.  By working closely with the cloud provider, Amazon in this case, McAfee can focus its energies on offering a secure and compliant service and less on addressing interoperability and customizations issues that plague far too many technology deployments.  Through economies of scale and competition, we have the possibility for innovative approaches that are relatively inexpensive and easy to deploy.  The best part is that it offers the best hope yet for automating compliance processes as well as simple security tasks, so security professionals can focus on evolving threats and issues that are more unique to their businesses.  If that can happen, maybe all this hype surrounding cloud won’t be so bad.