Monday, February 6, 2012

Panel on Cloud Security

I had blogged earlier about the TiE Panel on Software Defined Networks. I did not realize that I had not posted a blog after that! I have been really busy :( More on that in a future blog post.

TiE Silicon Valley organized a panel on Cloud Security on Thursday, Feb 2nd. 2012. This panel was also very well attended - indicating the popularity of the topic and the opportunities presented to entrepreneurs and large companies thereof.

The basic premise of the problem / challenge / opportunity is that there are well documented data breaches that have taken place. In fact, the OnLine Trust Alliance (OTA) has dubbed 2011 as the "Year of the breach". The 550+ breaches in 2011 cost U.S Businesses alone $6.5b+. The FBI has said that cyber attacks are the top terror threat to the country.

Tim Mather, of KPMG and author of a book on Cloud Security and Privacy led with a provocative commentary on the state of the industry. The slides he used can be seen here. There are typically five kinds of security breaches that take place:
  1. Cryptographic key management
  2. Data Loss Prevention
  3. Data sanitization
  4. Federated Identity management
  5. Security Incident management
In terms of products that are available that address some of the Cloud Security issues, he highlighted Virtual private SaaS (which was introduced by Navajo Systems - recently acquired by Salesforce.com). The provocative part of his talk came when he talked about the upcoming "food fights" in the industry:
  1. Telcos are becoming Cloud Service Providers
  2. The initiative led by Viviane Reding to regulate Cloud Computing and update the Data Protection Directive
  3. The ITU-T meeting in Dubai in November - attempting to bring ICAAN under UN Control (and regulate cloud computing)
  4. Upcoming CALEA II (Communication Assistance for Law Enforcement Act) - which attempts to regulate any messaging over the internet. This will make SOPA and PIPA small in comparison!
The next speaker was Becky Swain. Her slides can be seen here. Given her background in CSA, she spoke about Cloud Security from a regulatory and emerging standards POV. One needs to constantly balance compliance and risk management in the cloud.

Caleb Sima spoke next. His thesis was the, somewhat simplistic, viewpoint that the Cloud is more secure. The surface area for attack is wider if you manage everything on your own. Going to the cloud could potentially mean a "loss of control". While this may be viewed as a vulnerability by some, others (himself included) do not see it that way. However, according to a Ponnemon Institute Survey, ~ 1 in 3 people have not adopted Cloud services because of concerns over security. This IW article states that security concerns is one of the biggest barriers to Cloud adoption among Federal IT professionals.

Ratinder Ahuja of McAfee was the next speaker. His slides can be viewed here. Naturally, his talk focused on how the McAfee Cloud Security Platform helps businesses leverage cloud computing services and solutions securely. The future, Dr. Ahuja said, holds tremendous opportunity in delivering Security as a Service.

Ryan Floyd of Storm Ventures was the final speaker. He said that he agreed with Caleb Sima in that the Cloud is more secure.

When Ryan stated that PCI compliance was the first standard that was adopted by the industry to improve the security of payment transactions, Tim Mather tore that to shreds. "PCI is worthless," Tim said. "It is merely the payment industry shifting the burden to the merchants." They tried implementing SET (Secure Electronic Transactions) first - and that was abandoned due to the onerous cost of implementing it.

Tim went on to say that there is a technology solution proposed by IBM's Craig Gentry - using fully Homomorphic Encryption. It has been debated that this is not ready for prime time. In fact, Microsoft published a paper with a contrarian view point proposing "somewhat homomorphic encryption".

At the end of the panel discussion, it was apparent that there is a lot more that was left unsaid. I expect that we will soon see products coming out in this space that will disrupt how we perceive and interface with security.