RSA Conference 2012 Guide: Cloud SecurityBy Mike Rothman
We’ve renamed this section from “Virtualization and Cloud Security” to simply “Cloud Security” since if you listen to any of the marketing messages, you can’t tell the difference, even though it’s a big one. And virtualization is a hassle to type, so buh bye! Overall, as we mentioned in the key themes post, cloud security will be one of the biggest trends to watch during the conference and it also happens to be one area where you should focus since there is some real innovation, and you probably have real problems that need some help.
New Kids on the Cloud Security Block (NKOTCSB)
Hiding in the corners will be some smaller vendors you need to pay attention to. Instead of building off existing security tools designed for traditional infrastructure (we’re looking at you Big Security), they’ve created new products built from the ground up specifically for the cloud. Each of them focuses on a different cloud computing problem that’s hard to manage using existing tools – identity management (federated identity gateways), instance security, encryption, and administrative access. Many of these have a SaaS component, but if you corner them in a back room and have enough cash they’ll usually sell you a stand-alone server you can manage yourself. NKOTCSB FTW.
Cloudwashing vs. the Extreme Cloud Makeover
If you haven’t heard the term before, “cloudwashing” refers to making a virtual appliance of a product ready to run on Amazon Web Services, VMWare, or some other cloud platform without really changing much in the product. This is especially amusing when it comes from vendors who spent years touting their special hardware secret sauce for their physical appliance. Consider these transitional products, typically better suited for private cloud IaaS. It might help, but in the long run you really need to focus on cloud-specific security controls.
But some vendors are pushing deeper and truly adapting for cloud computing. It might be better use of cloud APIs, redesigning software to use a cloud architectural model, or extending an existing product to address a cloud-specific security issue that’s otherwise not covered. The best way to sniff the cloudwashing shampoo is to see if there are any differences between the traditional product and the virtual appliance version. Then ask, “do you use the //cloud platform// APIs or offer any new APIs in the product?” and see if their faces melt.
Virtual Private Data
We also cover this one in the data security post so we won’t go into much more detail here, but suffice it to say data security is pretty high on the list of things people moving to the cloud need to look at. Most encryption vendors are starting to support cloud computing with agents that run on cloud platforms as an extension of their to their existing management systems (thus requiring a hybrid model), but a couple are more cloud-specific and can deploy stand-alone in public cloud.
Most of the practical cloud-specific security, especially for Infrastructure as a Service comes from the (relatively) new group of cloud management vendors. Some might be at RSA, but not all of them since they sell to data center operations teams, not CISOs. Why? Well, it just might be the big wads of cash that Ops teams have in comparison. Keep an eye on these folks because aside from helping with configuration management automation, some are adding additional features like CloudAudit support, data protection/encryption, and network security (implemented on a virtualized host). While the NKOTCSB are totally focused on security innovation, the management and operations platforms concentrate on cloud operational innovation, which obviously has a big security component.
We’ll be posting the assembled guide within the next day or so, so you’ll have it in plenty of time for your pilgrimage to San Francisco.