The Open Group Conference, San Diego
21st Enterprise Architecture Practitioners Conference

Highlights of the Plenary, Day 3
(Wednesday February 4)

The Open Group’s 1st Security Practitioners Conference began Wednesday, February 3 in San Diego, California at the Marriott Mission Valley as a co-located meeting to the 21st Enterprise Architecture Practitioners Conference.  As the first conference of its kind for The Open Group, the event gathered industry subject matter experts to discuss a variety of security topics including security architecture, secure software development, and audit and logging. Security issues related to Cloud Computing were one of the key discussion topics.

Allen Brown, President & CEO, The Open Group, kicked off the inaugural event with a warm welcome and the new focus on security and the cloud computing spotlight.  After introducing Jim Hietala, VP Security, The Open Group, they both explained that the event has been in the works since the APC Chicago 2008 event at which the focal topic everyone agreed on was Cloud Computing.

In his Keynote presentation: "Launch of COA Securing Clouds” Steve Whitlock, Chief Information Security Architect, Boeing, started out by discussing his work with the Jericho Forum and their future direction and what they call the “cloud illusion”. He provided a technical view of Cloud Computing and shared a humorous real-world example of a pharmaceutical company where scientists took the cloud into their own hands for a time-sensitive, calculation-intense project that cost them considerably less than their IT organization had estimated. The catch was that security was an afterthought. In further analyzing the cloud, he discussed Jericho’s cloud property model, which offers key security considerations for Cloud Computing based on whether companies host Cloud services internally versus externally.

Some of the security questions organizations should ask themselves include:

• Whether or not to in-source versus outsource servers?
• Who is responsible for business continuity?
• When data gets put on the cloud, how does it get there? While it’s in transit there, is it secured? Once it’s there, is it secure?

The next presenter, Steve Hanna, Distinguished Engineer, Juniper Networks, presented an in-depth discussion on “Securing Services in the Cloud” that reminded the audience to not consider cloud services or the cloud in isolation, but to look at all the systems involved: the cloud, the services hosted in the cloud, the devices and users employing those services, the data involved in the services, and the networks over which the services are provided. All of these must be secured and managed in a consistent manner. Steve’s interpretation of Cloud Computing is that it’s a dynamically scalable shared IT resource accessed over a network.  The ‘loss of control’ is the most shocking aspect of Cloud Computing given that valued information and data is being handed off to a provider and placed on their servers. He discussed the key issues in sharing resources with un-trusted parties and what countermeasures need to be taken. He summarized his presentation with the bottom line on Cloud Computing security:

• Weigh risks and benefits of each case

• For small and medium organizations, cloud security may be a big improvement, cost savings may be large

• For larger organizations, they already have large, secure datacenters, so benefits would be around elastic, Internet-facing services

• It is essential to employ the countermeasures he outlined as part of his presentation

Cyril Guyot, Senior Engineer for the Research Division of Hitachi Global Storage Technologies in San Jose, California, presented on “Securing Stored Data in the Cloud” which centered on the deployment of storage-device security as a means of securing the cloud, and overcoming the practical issues that widespread data-at-rest encryption might pose.  After defining Cloud Computing for this presentation, he provided an overview of the typical architectures used from the point of view of Hitachi storage.  By first providing a general view of the security issues that cloud storage faces and requires (legal and market), he outlined the various cloud storage roles – data creator, data owner, end user, data host, network intermediaries. He then demonstrated how the storage security architecture recently developed by the Trusted Computing Group provides a practical solution to some of those issues. Cyril went on to showcase recent cryptographic research that can help storage providers to deal with securely storing data without losing search-ability and computability or compromising security.

Kristin Lovejoy, Executive in Corporate Governance, Risk, Compliance, and Security, IBM, rounded out the morning sessions of the SPC with her presentation on “Security issues inhibiting adoption of cloud services in the enterprise”. She immediately clarified that she would not be discussing Cloud Computing from a technology perspective, but from the business perspective as it relates to adoption. She explained how IBM is also a security company that is focused on delivering security through its various brands, such as Tivoli, where each brand has a set of security products and services. To help organizations overcome the worry about security inhibiting the adoption of Cloud Computing she began to explain her perspective on the cloud.  Among the primary inhibitors to cloud adoption, security, reliability, and economics are the most common concerns she hears from customers, and data security is the most feared one. In general, security is not mature enough so that it covers organizations from the software development side.  Rather, security is normally always focused on operations. She noted that the IT security function is becoming a consultant to the business and that IBM is seeing the IT security function in organizations slowly losing people while it’s gaining power.  These IT security consultants advise on the policies, processes, and technologies that need to be used by businesses to mitigate risk.  But the software development cycle needs to be part of that.  She mentioned the lack of vendors that provide holistic virtual systems management in the age of virtualization and cloud computing. At the end of her presentation she dedicated time to focus on compliance and its complexity, citing major compliance requirements based mostly on U.S. laws with some international laws as well.

The afternoon sessions of the first day of the SPC conference were convened by Chenxi Wang, Senior Analyst, Forrester Research, who presented on “Cloud computing security issues”. Chenxi’s presentation started out by defining Forrester’s view of various types of cloud services. A key point that Forrester’s recent research shows, and which was supported by some recent vendor experience, is that organizations are looking more aggressively at adopting SaaS and cloud services (63% of organizations surveyed planned to increase use), likely as a result of the economic downturn. The presentation described perceived benefits of cloud services, which echoed what was heard in earlier presentations. In terms of security concerns, Chenxi categorized several as:

1. Data protection issues
2. Operational integrity
3. Compliance and regulations
4. Transitive trust issues, especially where cloud/SaaS services are hybrid or mashups
5. Security trust
6. Auditing
7. Disaster recovery, business continuity
8. Integration issues
9. End-of-service support issues (data clean up)
10. Intellectual property protection

Chenxi also discussed SLAs as the only real enforcement mechanism that organizations have to enforce/police security in cloud environments. She concluded this presentation by talking about next steps needed to advance Cloud Computing, including standards for service metrics, standards for auditing, and standard SLAs.

Peter Coffee, Director of Platform Research, salesforce.com, was the next presenter with his focus section titled “Securing Services in the Cloud". Peter discussed security issues related to the cloud-based end-user application use-case, where a single enterprise uses a cloud-based application instead of the traditional model of deploying enterprise software in-house on corporate infrastructure. He addressed how customers can be assured that data will be kept private and the manner in which salesforce.com complies with European data protection laws.  He also discussed salesforce.com’s business continuity plan which includes four separate back-up centers more than 1,000 miles apart.  He mentioned the importance of transparency on transaction amounts, performance, outages, speed, and service anomalies.  Lastly he outlined the four major myths about Saas and PaaS:

1. Saas creates silos and invites rogue business processes
2. Saas is a low-cost, low-function model for SMBs
3. Platform as a service is just an extensibility toolkit for Saas applications
4. PaaS represents increased risk

Wolfgang Kandek, CTO, Qualys, presented "Ensuring security for an enterprise cloud-based managed security service” by first providing an overview of Qualys, its customers, products, and services. He answered the question of why customers consider Qualys by outlining the needs for vulnerability management, policy compliance, and web application scanning.  Data quality was another reason given along with deployment simplicity. He outlined how Qualys gains the trust of their customers – via their architecture. Another way in which the company gains client trust is through transparency. They are currently working on improving their contingency plan with disaster recovery plans in the works.

The afternoon session was rounded out by Jinesh Varia, Technology Evangelist, Amazon Web Services, with his interactive presentation “Cloud Security Processes and Practices”. In taking questions from the audience, he agreed that just because a company specializes in something, it doesn’t mean that a company is good at that.  A company still needs to be held accountable and use best practices when it comes to security.  The example given were banks and their loss of confidential data. He outlined Amazon Web Services security certifications, affirming that they will be pursing additional certificates and welcoming suggestions from the audience. With regard to data back-ups, he explained that data stored in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations. He outlined the multiple levels of EC2 Security and provided an overview of the security inside the virtualization technologies used by Amazon.  In addition, he provided EC2 security recommendation and outlined network security considerations that are part of Amazon.

The day concluded with a focused panel discussion on "Securing Services in Clouds", moderated by Eric Maiwald, VP & Research Director, Security & Risk Management Strategies, Burton Group. The panelists included Peter Coffee from salesforce.com, Kristin Lovejoy, IBM, Nils Puhlmann, Qualys, and Jinesh Varia, Amazon.

The panel discussion provided a sometimes contentious look at cloud security issues. Topics that were discussed included the kinds of service characteristics that were included in contracts and SLAs. A point the panel made was that in some cases, security provisions being made by cloud service providers may exceed those in use in individual enterprises. Other important points included the need for ‘auditability’ of controls, transparency of performance and security from the cloud provider to customers, and the fact that the security threat surface and responsibility for securing and monitoring varies depending upon the cloud service type. Eric Maiwald closed the panel with some words of wisdom, reminding enterprises that they need to ask the tough questions of cloud security vendors, and that they need to carefully analyze SLAs and contracts.