Throughout 2010, surveys have shown how the lack of trust in cloud computing is slowing the adoption of cloud services. This week at the RSA Conference in San Francisco, California, securing the cloud is on everybody’s mind. Not surprisingly, many are still outlining a piecemeal approach to cloud security using the same recipes that have not worked in the past several decades. However, several credible and powerful voices are emerging from the noise to offer a much more compelling approach to accelerating the adoption of cloud services. The idea is to build a new comprehensive cloud trust model that exploits the unique characteristics of cloud and virtualization. Now, the good news: Leaders in cloud computing are making trust the centerpiece of their strategy and the technology to build this trust model is available now.
In a vision paper entitled “Proof Not Promises: Creating the Trusted Cloud”, industry veterans from EMC, RSA and VMware share their vision for trust in the cloud. The authors have updated Ronald Reagan’s formula for controlling the Soviet Union: “Trust but Verify” into its cloud equivalent: “Trust = Visibility + Control”. The paper provides a convincing and inspiring perspective that wraps several of the concepts we have previously discussed in this blog: the opportunity to use virtualization to provide better security and the irreversible evolution towards information-centric security that is built into the cloud infrastructures. The juxtaposition of these concepts with very concrete technology proof points and the endorsement of the industry thought leaders make the paper a must read for any IT decision maker who wants to rip the cost and agility benefits of cloud computing sooner rather than later.
In a related announcement that makes this vision even more concrete, we (the RSA cloud team) announced the Cloud Trust Authority, a set of cloud services to provide cloud customers control and visibility over cloud providers. In its initial instantiation, the Cloud Trust Authority will provide control of enterprise identities and visibility into cloud providers’ compliance posture. The Cloud Trust Authority Identity Service is a cloud-based identity federation hub that enforces strong authentication and control access to cloud resources. The Cloud Trust Authority Compliance reporting service provides to cloud customers compliance reports for cloud providers based on the Cloud Security Alliance GRC stack. We all believe that this new trust model will drastically simplify the trust relationship between cloud customers and cloud providers by using an intermediary, the Cloud Trust Authority, to handle the most complex technical integration required to provide compliance and to secure identities, information and workloads in the cloud.
What I like the most about the trusted cloud conversation is its tone. It completely changes the role of the IT security department from a whining team that everybody avoids to a critical partner in the definition the enterprise’s cloud strategy. All the sudden, the security team is solving the identity management, information control and compliance problems and are sitting between the IT department and the cloud promise of flexibility, agility and cost reduction.
Forget the surveys, the industry is getting ready for a new cloud computing motto for 2011 and beyond: “In Cloud we Trust”.