Cloud Computing: The Case for Certification
So, now is the time to get behind the Certificate of Cloud Security Knowledge - the CSA's own new user certification program for security professionals.
In an exclusive interview on cloud trends, Reavis discusses:
- Which industries are the leaders - and laggards - in cloud adoption;
- The business case for user certification;
- Cloud trends to watch as we race toward 2011.
Reavis has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. He is co-founder, executive director and driving force of the Cloud Security Alliance. Reavis was recently named as one of the Top 10 cloud computing leaders by SearchCloudComputing.com. <>p>He also is the President of Reavis Consulting Group, LLC, where he advises security companies, large enterprises and other organizations on the implications of new trends such as Cloud and how to take advantage of them. He has previously been an international board member of the ISSA, and formerly served as the association's Executive Director. Reavis was a co-founder of the Alliance for Enterprise Security Risk Management, a partnership between the ISSA, ISACA and ASIS, formed to address the enterprise risk issues associated with the convergence of logical and traditional security.
TOM FIELD: Jim, right off the bat here tell us a little bit about yourself and the Alliance, please. What's the group's mission?
REAVIS: Well, I am a person who has been around in the information security industry for about 20 years and have done a fair amount of work with professional associations and the non-profits as part of my work in helping the industry itself prosper. The Cloud Security Alliance is something that, with a few other of my colleagues in the industry, we formed about 18 months ago to address the burgeoning adoption of cloud computing and to try to promote secure and responsible adoption of cloud.
In essence, [the mission is to] sort of build a new ecosystem to help provide the assurance that is needed to make sure that not only do people do a good job of securing cloud computing, but they can show auditors -- they can provide attestation. And then we can look at what are some new interesting solutions we can do inside of the cloud itself.
FIELD: Jim, I know we both have been to a number of events this year. I have been to RSA and I've been to Gartner, and clearly everybody is talking about cloud now, but what are they actually doing about it?
REAVIS: Well, there are a lot of different types of adoption and levels of adoption right now. We are still sort of somewhere between the early adopter and the fast follower phase, and it does depend on what type of cloud you are doing. I could characterize it in a few different ways. We are certainly seeing a lot of very robust production, mission-critical oriented private clouds within large enterprises.
When it comes to public cloud, we are seeing a lot of adoption from the small and medium enterprise with that being for key systems. When you get to the large enterprises, you still see a fair amount of cautious adoption, sort of picking and choosing based on their risk appetite, and what type of solution makes the most sense inside of a public cloud. And this also varies geographically. We see a lot more private cloud adoption in North America versus other parts of the world, where it is still seems to be more public cloud, so a lot of different activities happening out there.
We are still sort of waiting for I think that compliance tipping point where everybody feels this is an okay thing from a regulatory perspective, and then I think we are really going to see the flood gates really open.
FIELD: Jim, you have been at this for a while now. What would you say is most misunderstood about cloud computing?
REAVIS: A couple of things. I think that from one side of it there is a tendency to gloss over the differences and to say "Well, this is just marketing hype, and really what we are talking about is outsourcing." And it is true that we have a lot of elements of outsourcing in what cloud computing is, but really some of the key differences are that you could have a term of service that lasts very transiently minutes or even seconds, where you have a business relationship with a cloud provider.
You also sort have this sort of anonymity of who that cloud provide might be if you are dealing with a SaaS provider for example -- software as a service -- and they are using other components, and you won't actually know who those organizations are.
The third thing is you may have this real anonymity of the geography of where your information is stored, where with traditional outsourcing you have the knowledge of -- in fact we can pick a specific co-location facility, and a lot of that may not be available in cloud.
I would say that that's really one of the biggest things that we see out there is just that misunderstanding, and then secondly I would just say there is just a misunderstanding of the different types of clouds themselves, public clouds/private clouds, things like that.
FIELD: You talked a few minutes ago about leaders and fast followers. Which industries would you say are pioneering cloud computing now, and how are they doing that?
REAVIS: I would probably answer this question sort of in there is a different way that you can slice this from a vertical and a horizontal perspective, as well as different organizations and even geographies. I will give you a few on where I see some leadership.
One example is scientific, engineering, pharmaceutical, computer oriented/computer intensive applications. You are seeing some organizations that are being early adopters of cloud computing where you need to very quickly, on demand string together a lot of compute resources, where we used to wait for time on a super computer. You are seeing that sort of thing happen very rapidly and being able to very quickly solve a business problem, reach some sort of conclusion, being able to move on from there.
And that works out really well in public cloud because they are very elastic, and it is very easy to give them your credit card, and you can get 30 more computers, 60 more computers, whatever you need, and the nature of those applications are very computer-oriented. They have an ability to segregate sensitive data or personal information, and they are able to keep that separate, so they don't have the same regulatory concerns. That is where we are seeing by nature of some early adopters out there.
Other areas are the software industry itself, if you look at this from a horizontal perspective. You are seeing entrepreneurs who are maybe someone who worked for a very large software company, a traditional shrink wrap software in the past, who are taking what they learned and building a business vertical application on top of a public cloud. They may be a two- or a three- or a four-person shop, but they have immediate access to the world's largest data center by going out into a public cloud and are able to very quickly build credible business applications.
Now when you talk about private clouds, then you do see a lot of sort of the traditional early adopters. You do see more of the financial services industry, you see more government adoption of private clouds, although I will say that we are actually seeing some adoption of public clouds by some governments actually outside of North America, we are seeing some more aggressive adoption there. So that is sort of how I would characterize the early adopters and what they are doing.
FIELD: Now the flipside of that, Jim, I don't want to call anybody a laggard, but are you surprised at any types of organizations that maybe are a little bit behind the fast followers?
REAVIS: Well, again, if you look at it from different types of cloud adoption, there are probably some pretty good reasons why you are seeing some laggards. In some areas of the financial services industry, for example, while you are seeing maybe some wealth management and particularly small wealth management organizations that are being fairly aggressive in cloud adoption, when you talk about public clouds you are just not seeing a lot of financial services adopting that right now.
It is not that they have specific security concerns, and in fact I think that you could make the case that over time it is going to be more secure, but there is probably a bigger issue of just the compliance that needs to be surrounding that. So if you think for example of how breaches happen, they happen everywhere. People lose laptops, people get hacked into their own enterprises, and if you have your sign-off from the auditor that's okay - it's not great, but your organization will survive, and you will survive and there will be lessons learned. All of the big credit card hacks we have seen they have been all PCI compliant.
However, if you move out into a public cloud and you have not been able to get all of the auditors surrounding some of these things, and there is a data breach, then that becomes more of a personal consequence for the people who signed off on that or made that decision. So there is some fear there where people are waiting for the knowledge from the assurance and the compliance side to catch up. I would have thought in one respect that you would see more leadership there, but I think there is an understandable rationale on why that is not happening.
FIELD: Well I wonder if the same might be true of healthcare? That's one industry we haven't spoken about.
REAVIS: Yes, I think that healthcare is probably one -- there are a couple of different sides to it, but healthcare, when you think about the personally identifiable information that they have, there is even probably greater consequences for the organization to have breaches in cloud computing. But on the other side of it, you are seeing very large cloud providers actually looking at implementing electronic health systems out in the cloud and being disruptive to that market and developing direct relationships with healthcare consumers, which I think is very interesting, and that serves as an example of what cloud computing is doing.
So, the larger healthcare organizations probably fit into more of the "Let's do some private clouds and gain the efficiencies here; let's do some level of community clouds with their provider networks maybe," which is still somewhat of a closed system, but it is more open than a private cloud. But then you are seeing the real interesting disruptive public cloud things happening from non-healthcare companies trying to get into that business.
FIELD: I would like to ask you about one of the Alliance's initiatives, which is user certification. What can you tell me about the initiative, and what's the business case for user certification in cloud computing now?
REAVIS: Our certification, the CCSK, which stands for the Certificate of Cloud Security Knowledge, is based on the guidance that we created in December of 2009 that we released, which is our body of knowledge that is very broad in terms of actually articulating what a lot of the cloud security issues are and what are a lot of the best practices to implement.
We have felt that this was going to be an eventuality, that we were going to need certification because this is very disruptive, and there are a lot of aspects of cloud computing, whether it is new technology or new business models, that are very different and so we need to make sure that people are trained.
I think it is a reasonable due diligence if you are an organization putting assets out into the cloud that you want to know that the providers actually have personnel that are actually trained on security best practices. The problem with existing certifications that are out there is that they just don't address some of the nuances of cloud computing.
We felt that was very important, and we felt as we went through the process of creating it we found that there is really a role for consumers of cloud computing also to have this certification because you don't get rid of all of your legal responsibilities by putting information in the cloud and so you need to have that governance knowledge.
We felt that it was very important for the whole ecosystem of providers, consumers, IT auditors, that we take our body of knowledge, which is widely adopted, and let's create a baseline certification, which really shows that people have accomplished some knowledge. Certifications are not a guarantee of perfection -- I've talked about that already; PCI compliance is not a guarantee. It just raises the level of assurance; it raises the level of the bar.
You have to look at this in combination with a lot of other things, so the business case for us is we are a non-profit, so it is really more about how we help the industry. But the business case for an organization is that for a certification that is $295 dollars, that is something that is not very expensive. It is actually below what a lot of other certifications are that are specific to a technology or a specific discipline. And if you are putting important information out in the cloud, that is not a lot to know that at least someone has been tracking and showing some demonstrated types of knowledge in the very important things leading to securing the cloud.
Where this will go certainly would lead to indemnification, insurance and all those sorts of things that they always rely on people are using the best available practices and availing themselves of all of the tools that are out there. I think over time you will see that organizations that have people on the provider or the consumer side that have the certifications, that is going to be something that is going to be defensible if they are trying to acquire new customers, or they are trying to defend when something even may have gone bad in some way that they availed themselves of everything that they could at that point in time in the industry. We feel it is important.
People are going to move out in the cloud, and it is very important that we can attest that some people have some knowledge about what that means from a security perspective.
FIELD: One last question for you, Jim. We are in the second half of the year now; what are some of the cloud computing trends we should be keeping an eye on between now and the start of 2011?
REAVIS: Well, it's not a huge amount of time, but what I think is very interesting for us to be looking at is there have been some things in the news -- good things and bad things -- happening with an enterprise and a cloud provider relationship in terms of 'Will the cloud provider give that enterprise an enterprise grade service level agreement?'
We have seen some things where they haven't been able to negotiate that, and I think it is a real important sort of milestone when you start seeing public cloud providers be able to prove and show that they can provide enterprise class availability and services, and they are actually going to be writing that into the contracts that they provide to these companies.
I think you are going to see some interesting stuff with that, and I think that frankly is going to be a lot more critical than any sort of technology innovation that would could have in this short time.