By Sramana Mitra and guest author Saurabh Mallik
SM: Yes, and in a public cloud, the platform and infrastructure are evolving. Amazon’s AWS and Salesforce.com’s Force.com are also going in that direction and making it possible for small and medium companies to buy cloud solutions in a black-box mode.
MW: Exactly, and when you do that, it is clear what the capabilities and costs are. It’s easier to buy something that’s straightforward. If I decide to buy an AWS machine image, I have already made a simplified decision in my head.
SM: Right, a lot of choices have already been made, and that’s a good thing for most small and medium businesses that don’t have the knowledge to make a choice of IT solution.
MW: Frankly, it’s a good thing for even large enterprises, because there are a lot of workloads that don’t need the diversity and benefits; more like the simplicity of public clouds
SM: I have two more topics to cover, security and entrepreneurship. Let’s take security first. What is your perspective on the cloud security areas CIOs are focusing on today?
MW: If I talk about the private cloud and security and privacy in the private cloud, it goes back to the same issues of the enterprise today. Let’s now talk about the public cloud. The security issues in a public or hybrid cloud, has to be answered by this question: Is there a difference in scale, or is there a difference in kind? I believe there is clearly a difference in scale
SM: This difference in scale comes not only from cloud but from this intense adoption of mobility.
MW: I agree, and this is my claim about why there is no difference in kind. I was having a conversation with a colleague, and she said there is a difference in scale of entry points to potentially penetrate clouds. Using a third party, there are lot more players in the cloud in my enterprise. Therefore, there is a difference not just in scale but also in type. My risk in controls need to address different types of risk because I am using third parties and I have all these different players in the cloud with unknown points of connection. Well, let’s look at the enterprise today, who’s using a third-party processor for something, and whose 10,000–20,000 employees are carrying mobile computing devices connected to the enterprise. There’s no difference in type, it’s just a difference in scale.
Now, I will relax, there is a slight difference in type: The notional transparency inside the enterprise and the notional transparency in the cloud are very different. Here’s what I mean by that. In the enterprise, I can know in theory where the given transactions are, for example what computing, what storage, what users. Not every enterprise is positioned to have that kind of transparency, but it should be available. In the cloud, not all enterprises will have that kind of transparency or granularity. So, if there is a difference in kind in security, privacy and strategy, risk, and control strategy, it has more to do with how the cloud service provider is dealing with transparency and granularity. So, a SAS 70 assessment, which is done now on outside IT provider services so that the enterprise can have some degree of control over its security doesn’t exist right now for a cloud service provider. You could do a SAS 70 on a cloud service provider with one of your subscribers. However, that notion is not in the industry today. To summarize, the issues that I face in the enterprise today concerning security and privacy are the issues that I face in the cloud. Therefore, the same discipline that I exercise in the enterprise I will need to exercise in the cloud.
SM: But you do not have the capability to do so.
MW: Maybe not. Why not? Because first, it is a different scale with a difference in risk controls and tools and second, I may not have transparency with cloud service providers. So, I have to come back to the trust zone and deal with my risk and control frameworks appropriately. I do that today in a distributed supply chain when I deal with upstream and downstream partners. I may not have visibility into what happens when the data gets to me or what happens when the data leaves me. People obsess about privacy and security in the cloud. That is good, because we should obsess about privacy and security. But the barriers to cloud adoption are exactly the same as the disciplines we are using to avoid barriers in the enterprise.