I just wrapped up my first Cloud Security Alliance Congress. This year the show had about 20% more attendees, no surprise given the growth of cloud adoption and the strong focus that both customers and cloud providers have on security. There was no single vertical that stood out, attendees came from all areas - large Enterprise, Government, Consultants and of course, sponsoring vendors like Vormetric
One personal observation from people that I spoke to is that Federal Government employees seem far more aggressive in adopting the cloud, than their private sector counterparts. At first, it seemed contradictory that a conservative security conscious group like this would be taking the lead. But on second thought, I remembered how the US Government led the charge to move from dedicated, primarily internal networks, to the Internet and I believe this may be similar. They have the talent, influence and financial clout to help motivate industry to build secure, reliable and highly-scalable clouds. I also witnessed some very impressive, active and intelligent interactions coming from NIST.
Another finding, representatives of larger Enterprises seemed evenly split between wanting to learn more about securing the cloud for adoption purposes and looking for more information to help influence their organization to “trust the cloud”. I didn’t get the sense that many of these large enterprise customers were jumping into the public cloud with both feet. However, they are all in the cloud because of business partners. At our booth, many people expressed concerns about how their organization’s data is protected by these business partners (outsourcers, service providers, SaaS solution vendors, and so on)
Much of the discussion in sessions and on the show floor was not around technology, but around framework, process, and creating appropriate SLAs and contractual agreements. As you might expect, much of this discussion centered around the responsibilities of the provider and the customer. I believe that Sean Cordero, chair of the CSA Cloud Controls Matrix Work Group, summarized this best by saying that “You can’t outsource accountability”. There were few arguments about this – but what is not clear is where the boundary of responsibility should be drawn and communicated. My perspective on this is that market forces, as well as the smart and passionate leaders in organizations like CSA and NIST, are moving the industry quickly in the right direction.
Some other items of interest:
· Bill Corrington, former CTO of the Department of Interior and our own Derek Tumulak, Vormetric VP of Product Management packed the room with their audience inclusive discussion about how to negotiate SLAs with cloud providers.
· It was no surprise that international participants frequently brought up for discussion concerns over NSA spying and capabilities.
· Another area of interests was continuous monitoring. It is very important to have more visibility and analytics for cloud services. This, by the way, is an area that CSA is actively working on as part of their GRC Stack initiatives and working groups.
Something else new – I heard several times that most IT professionals agree that cloud providers offer better security than their own organizations. The reason – The cloud providers hire the best talent and invest in the best architectures because of the scale of their deployments. The AWS Keynote speaker, Teresa Carlson, VP AWS Public Sector, shared that 60% of organizations felt this way. My impression is that even more IT professional share this viewpoint – but that there is still a lot of work required for corporations to gain the trust required before moving sensitive data into the cloud. I also heard several times from Sr. IT attendees that they are concerned about the lack of transparency at providers – They will never have the detailed view into, and control of, cloud providers infrastructure that they have in their own data centers. AWS’s solution to address this concern is to point out that under NDA they will share very detailed documentation about their architecture and process. From looking at estimates of AWS growth rates, they must be starting to meet the concerns of at least some of these customers.
On the last evening, I attended a dinner with a spectrum of participants in the event. These included people working for cloud providers, equipment providers, government contractors, F50 enterprises. I asked for input on my forthcoming blog. The first thought in most people’s minds was, “Every session said encrypt everything”. I said that if I wrote that it would seem self-serving. People were insistent – they pointing out numerous examples, including the final keynote by Chris Kemp, past NASA CTO. On his final conclusion slide, the first point was, “Regardless of the cloud you run on, encrypting data is the single most important thing you can do and keep your own keys”.
I tip my hat to the CSA team. This small team worked really hard to prepare and to execute on a terrific show. I’m looking forward to working with them again at CSA Summit in San Francisco on February 24, 2014. I hope to see you there too!