Cloud Computing
Cloud Security Panel at NIST and informIT Reaction
On April 7th, NIST convened a conference on cloud computing in Gaithersburg, MD. One of the featured sessions was a panel on cloud security. I participated in the panel with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremy Epstein of SRI. The panel was moderated by Donna Dodson and [...]
A Cloud Security Discussion without FUD
I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud [...]
Identity Encapsulated Key Management
As part of my work on the Trust Cloud Initiative, I’ve had so discussions with they folks at PGP about their Key Management Server. At first, I was “ho-hum, key management”, but there’s more going on here than I had assumed. The way this software manages keys is more like a key ring. The implication [...]
Speaking at CISSE on 6/8
I’m speaking at the 2010 Colloquium in Baltimore on Tuesday 6/8 on Cloud Security. Here’s the abstract. Cloud Security: Don’t Be Late to the Party Cloud computing is here to stay. No amount of security whining will stop the cloud, and yet as the cloud revolution sweeps IT it behooves us to pay close attention [...]
Trusted Cloud Initiative
I just moderated a panel on security within Cloud Computing environments. Many of the questions from the audience were about how to trust cloud computing environments. Trust is such a loaded word and I couldn’t tell from the participants if they were looking for a bunch of bolt-on controls or something more holistic. At RSA, [...]
Is Digital Evidence the Forcing Function After Compliance?
My Saturday US Mail delivery (so sad if it goes the way of the dodo bird) arrived with several notifications of class action lawsuits for companies in which I’ve held equity positions. As I walked back from the mailbox, I had the thought: HIPAA and PCI protect the consumer, but who/what is protecting the business [...]
There are only losers in Cloud federated IAM
I read a question on one of the cloud mailing lists asking which of the federated authentication protocols (SAML, OpenID, Oauth, WRAP, etc) would win. My initial reaction was to reply, “Isn’t the question which ones won’t lose?” Okay, that’s snarky and perhaps a double negative, but I find it a rather dubious notion to [...]
Cloud Hype and de-Hype
I had been reading about Gartner’s prediction that 1 out of every 5 businesses were going to dump all of their physical IT infrastructure when Sammy Migues sent me a thread from LinkedIn about it. The thread contained many of the common sense views about Cloud Computing that you’d expect: IT should be based on [...]
Bubbles
I’ve lived in a bubble all of my life. My parents created a bubble to grow up in and then I wrote commercial software products. It’s only recently that I’ve stepped out of that bubble and seen just how messy the real world is. Yes, I’ve looked at bubbles from both sides now (sorry, but [...]
Cloud Risks When You Become A Service Provider
The European Network and Information Security Agency (ENISA) published their analysis of security risks from cloud computing. It’s a well thought through paper and it complements the work on cloud security guidance being written by the Cloud Security Alliance. What I like about both the ENISA report and the CSA Guidance (I’m an author of [...]
