Richard Martin Blog: Searching for Security in the Cloud

Last month I posted a blog in which I basically blamed the major carriers for holding back the spread of cloud communications and hosted VoIP. Restrictive models and proprietary solutions, I wrote, are “partly the result of unimaginative thinking by users and applications developers around models for cloud computing, and partly the result of an entrenched and powerful IT, and telecom, industry that doesn’t want to see its revenues slashed as businesses move to the cloud.”

To that list should be added the reluctance and hesitation of enterprise CIOs and telecom directors.

“Enterprises will always prioritize internal operations and security for a variety of reasons,” reported Searchcloudcomputing.com’s Carl Brooks, from last week’s Enterprise 2.0 conference, “and a larger shift to cloud computing infrastructures is several years away.”

The top concerns of enterprise CIOs around cloud-based communications services are security, security and security. One CIO from a multinational financial services firm pointed out that his company has sensitive client data lodged in many locations around the world, none of which is likely to be hosted or transmitted in the cloud anytime soon: He can’t afford to just “put it out there in the cloud,” Brooks reported.

As my colleague Doug Allen reported last week, the big carriers are attempting to allay those fears by touting their own extensive security records and by teaming up with others in the space to supply robust and secure offerings: Verizon, for example “is positioning itself as more of an IT player than a purveyor of dumb pipes, but both are partnering extensively with systems integrators and solution providers to establish greater credibility with their enterprise clients.”

That’s the focus of Verizon Business in its presentation this week at the Gartner Security & Risk Management Summit, where the carrier will lead a workshop on tips for securing cloud services. Those tips include the obvious (“Evaluate your goals,” “Perform due diligence,” blah blah blah), and the less obvious (“Incorporate a mix of services delivered in-the-cloud and on premises,” i.e., the hybrid cloud model that AT&T cloud guru Joe Weinman describes).

More substantive relief is on the way from the Cloud Security Alliance, launched by a group of operators and IT firms a year ago. In April the CSA released the first “Cloud Controls Matrix,”  basically a list of approved cloud security programs and applications that are “aligned with key information security regulations, standards and frameworks.” The new matrix has the support of other industry associations such as CloudAudit.org, whose founder, Christofer Hoff, issued the following bit of gobbledygook in support of the CSA controls scheme: "CloudAudit's goal is to provide an interface and namespace to allow both cloud providers and customers to automate substantial portions of the assurance lifecycle in a transparent manner."

Whatever that actually means, I take it to indicate that a growing set of providers, vendors and industry groups is gathering behind a set of widely accepted and effective guidelines and applications for cloud security. That’s a good thing – and if it takes hold, maybe we can quit blaming the incumbents for holding back the cloud revolution.