I recently participated in a roundtable for NetworkWorld, tackling the question of Who is responsible for cloud security?. First of all the picture is hilarious, especially because it shows my head photoshopped onto some dude with a tie. Like I’d wear a tie.
But some of the discussion was interesting. As with any roundtable, you get a great deal of puffery and folks trying to make themselves sound smart by talking nonsense. Here are a couple good quotes from yours truly, who has never been known to talk nonsense.
NW: Let’s start with a basic question. When companies are building hybrid clouds, who is responsible for what when it comes to security? What are the pain points as companies strive to address this?
ROTHMAN: A lot of folks think having stuff in the cloud is the same as having it on-premises except you don’t see the data center. They think, “I’ve got remote data centers and that’s fine. I’m able to manage my stuff and get the data I need.” But at some point these folks are in for a rude awakening in terms of what the true impact of not having control over layer four and down is going to mean in terms of lack of visibility.
NW: As Sutherland mentioned earlier, a lot of this has to be baked into the contract terms. Are there best practices that addresses how?
ROTHMAN: A lot has to do with how much leverage you have with the provider. With the top two or three public cloud providers, there’s not going to be a lot of negotiation. Unless you have a whole mess of agencies coming along with you, as in [Kingsberry’s] case, you’re just a number to these guys. When you deal with smaller, more hungry cloud providers, and this applies to SaaS as well, then you’ll have the ability to negotiate some of these contract variables.
NW: How about the maturity of the cloud security tools themselves? Are they where they need to be?
ROTHMAN: You’ll walk around the RSA Conference and everybody will say their tools don’t need to change, everything works great and life is wonderful. And then after you’re done smoking the RSA hookah you get back to reality and see a lot of fundamental differences of how you manage when you don’t have visibility.
Yes, I actually said RSA hookah and they printed it. Win!
Check out the entire roundtable – they have some decent stuff in there.
Photo credit: “THE BLAME GAME” originally uploaded by Lou Gold
Reader interactions
One Reply to “Who’s Responsible for Cloud Security? (NetworkWorld Roundtable)”
I think the second quote here is a biggy. A lot of folks use the “address it in contract” line. I have to admit at first my thinking went along the lines of: “how is all this ‘cloud’ stuff really any different than application service providers?” For SaaS at least, it seemed like a fancy rename for an ASP. Now a cloud head would probably tear me up over how the difference is in the layers of abstraction and elasticity really running underneath, but I’ve seen plenty of things labeled ‘SaaS’ that are still just a couple web servers running some niche app. As a security guy the biggest difference turned out be the purchasing and contracting model. ASPs used to go through something resembling a real purchasing process with real contract negotiations. There was an opportunity to request specific evidence of security controls, and I’ve even done independent auditing and penetration testing of an ASPs wares. The legal folks also had an opportunity to be specific about damages. For many ‘cloud’ applications no such purchasing process exists. Someone is just slapping down a credit card and running. You get whatever documentation of controls and audit proof the provider feels like publicly disclosing and whatever damages are in their take it or leave it SLA. That means you have a lot less opportunity to shluff off responsibility by contract. Which isn’t necessarily a bad thing if the end result is more people being more responsible for their own data. It is very different though, and it means actually having to think about stuff…