Transcript of a sponsored BriefingsDirect podcast on how companies should approach and guard against data loss when placing sensitive data in the cloud.
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Fog Clears on Proper Precautions for Putting More Enterprise Data Safely in Clouds
1. Moving to Cloud Environments Should Trigger a
Classification of Enterprise Data
Transcript of a sponsored BriefingsDirect podcast on how companies should approach and
guard against data loss when placing sensitive data in the cloud.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Hewlett-Packard.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re
listening to BriefingsDirect. Today, we present a sponsored podcast discussion on managing risks
and rewards in the proper placement of enterprise data in cloud computing environment.
Headlines tell us that Internet-based threats are becoming increasingly malicious, damaging, and
sophisticated. These reports come just as more companies are adopting cloud
practices and placing mission-critical data into cloud hosts, both public and
private. Cloud skeptics frequently point to security risks as a reason for cautiously
using cloud services. It’s the security around sensitive data that seems to concern
many folks inside of enterprises.
There are also regulations and compliance issues that can vary from location to location, country
to country and industry by industry. Yet, cloud advocates point to the benefits of systemic
security as an outcome of cloud architectures and methods. Distributed events and strategies
based on cloud computing security solutions should therefore be a priority and prompt even more
enterprise data to be stored, shared, and analyzed by a cloud by using strong governance and
policy-driven controls.
So, where’s the reality amid the mixed perceptions and vision around cloud-based data? More
importantly, what should those evaluating cloud services know about data and security solutions
that will help to make their applications and data less vulnerable in general?
I’m here with a panel of HP experts to delve into the dos and don’ts of cloud computing and
corporate data. Please join me in welcoming Christian Verstraete. He’s the Chief Technology
Officer for Manufacturing and Distributions Industries Worldwide at HP. Welcome back,
Christian.
Christian Verstraete: Thank you.
Gardner: We’re also here with Archie Reed, HP's Chief Technologist for Cloud Security, the
author of several publications including, ‘The Definitive Guide to Identity Management’ and
working on a new book, ‘The Concise Guide to Cloud Computing’. Welcome back to the show,
Archie.
Archie Reed: Hey Dana. Thanks.
2. Gardner: It strikes me that companies around the world are already doing a lot of their data and
applications activities in what we could loosely call cloud computing, cloud computing being a
very broad subject and the definition being rather flexible.
Let me take this first to you, Archie. Aren’t companies already doing a lot of cloud computing?
Don’t they already have a great deal of transaction and data that’s being transferred across the
web, across the Internet and being hosted on a variety of either internal or external server?
Difference with cloud
Reed: I would certainly agree with that. In fact, if you look at the history that we’re dealing
with here, companies have been doing those sorts of things with outsourcing
models or sharing with partners or indeed community type environments for
some time. The big difference with this thing we call cloud computing, is that
the vendors advancing the space have not developed comprehensive service
level agreements (SLAs), terms of service, and those sorts of things, or are
riding on very thin security guarantees.
Therefore, when we start to think about all the attributes of cloud computing -- elasticity, speed
of provisioning, and those sorts of things -- the way in which a lot of companies that are offering
cloud services get those capabilities, at least today, are by minimizing or doing away with
security and protection mechanisms, as well as some of the other guarantees of service levels.
That’s not to dismiss their capabilities, their uptime, or anything like that, but the guarantees are
not there.
So that arguably is a big difference that I see here. The point that I generally make around the
concerns is that companies should not just declare cloud, cloud services, or cloud computing
secure or insecure.
It’s all about context and risk analysis. By that, I mean that you need to have a clear
understanding of what you’re getting for what price and the risks associated with that and then
create a vision about what you want and need from the cloud services. Then, you can put in the
security implications of what it is that you’re looking at.
Gardner: Christian, it seems as if we have more organizations that are saying, "We can provide
cloud services," even though those services have been things that have been done for many years
by other types of companies. But, we also have enterprises seeking to do more types of
applications and data-driven activities via these cloud providers.
So, we’re expanding the universe, if you will, of both types of people involved with providing
cloud services and types of data and applications that we would use in a cloud model. How risky
is it, from your perspective, for organizations to start having more providers and more
applications and data involved?
3. Verstraete: People need to look at the cloud with their eyes wide open.I'm sorry for the stupid
wordplay, but the cloud is very foggy, in the sense that there are a lot of
unknowns, when you start and when you subscribe to a cloud service. Archie
talked about the very limited SLAs, the very limited pieces of information that
you receive on the one hand.
On the other hand, when you go for service, there is often a whole supply chain
of companies that are actually going to join forces to deliver you that service,
and there's no visibility of what actually happens in there.
Considering the risk
I’m not saying that people shouldn't go to the cloud. I actually believe that the cloud is
something that is very useful for companies to do things that they have not done in the past --
and I’ll give a couple of examples in a minute. But, they should really assess what type of data
they actually want to put in the cloud, how risky it would be if that data got public in one way,
form, or shape, and assess what the implications are.
As companies are required to work more closely with the rest of their ecosystem, cloud services
is an easy way to do that. It’s a concept that is reasonably well-known under the label of
community cloud. It’s one of those that is actually starting to pop up.
A lot of companies are interested in doing that sort of thing and are interested in putting data in
the cloud to achieve that and address some of the new needs that they have due to the fact that
they become leaner in their operations, they become more global, and they're required to work
much more closely with their suppliers, their distribution partners, and everybody else.
It’s really understanding, on one hand, what you get into and assessing what makes sense and
what doesn’t make sense, what’s really critical for you and what is less critical.
Gardner: Archie, it sounds as if we’re in a game of catch-up, where the enticements of the
benefits of cloud computing have gotten ahead of the due diligence and managing of the
complexity that goes along with it. If you subscribe to that, then perhaps you could help us in
understanding how we can start to close that gap.
To me one recent example was at the RSA Conference in San Francisco, the Cloud Security
Alliance (CSA) came out with a statement that said, "Here’s what we have to do, and here are the
steps that need to be taken." I know that HP was active in that. Tell me if you think we have a
gap and how the CSA thinks we can close it.
Reed: We’re definitely in a situation, where a number of folks are rushing towards the cloud on
the promise of cost savings and things like that. In fact, in some cases, people are generally
finding that as they realize they have risk, more risk than they thought they did, they’re actually
stepping back a little bit and reevaluating things.
4. A prime example of this was just last week, a week after the RSA Conference, the General
Services Administration (GSA) here in the US actually withdrew a blanket purchase order (BPO)
for cloud computing services that they had put out only 11 months before.
They gave two reasons for that. The first reason was that technology had advanced so much in
that 11 months that their original purchase order was not as applicable as it was at that time. But
the second reason, perhaps more applicable to this conversation, was that they had not correctly
addressed security concerns in that particular BPO.
Take a step back
In that case, it shows we can rush towards this stuff on promises, but once we really start to get
into the cloud, we see what a mess it can be and we take a step back. As far as
the CSA, HP was there at the founding. We did sponsor research that was
announced at RSA around the top threats to cloud computing.
We spoke about what we called the seven deadly sins of cloud. Just fortuitously
we came up with seven at the time. I will point out that this analysis was also
focused more on the technical than on specific business risk. But, one of the threats was data loss
or leakage. In that, you have examples such as insufficient authentication, authorization, and all
that, but also lack of encryption or inconsistent use of encryption, operational failures, and data
center liability. All these things point to how to protect the data.
One of the key things we put forward as part of the CSA was to try and draw out key areas that
people need to focus on as they consider the cloud and try and deliver on the promises of what
cloud brings to the market.
Gardner: Correct me if I am wrong, but one of the points that the CSA made was the notion
that, by considering cloud computing environments and methodologies and scenarios, you can
actually make your general control and management of data improved by moving in this
direction. Do you subscribe to that?
Reed: Although cloud introduces new capabilities and new options for getting services,
commonly referred to as infrastructure or platform or software, the posture of a company does
not need to necessarily change significantly -- and I'll say this very carefully -- from what it
should be. A lot of companies do not have a good security posture.
When we talk to folks about how to manage their approach to cloud or security in general, we
have a very simple philosophy. We put out a high-level strategy called HP Secure Advantage, and
it has three tenets. The first is to protect the data. We go a lot into data classification, data
protection mechanisms, the privacy management, and those sorts of things.
The second tenet is to defend the resources which is generally about infrastructure security. In
some cases, you have to worry about it less when you go into the cloud per se, because you're not
5. responsible for all the infrastructure, but you do have to understand what infrastructure is in play
to feed your risk analysis.
The third part of that validating compliance is the traditional governance, risk, and compliance
management aspects. You need to understand what regs, guidance, and policies you have from
external resources, government, and industry, as well as your own internal approaches, and then
be able to prove that you did the right thing.
So this seems to make sense, whether you're talking to a CEO, CIO, or a developer. And it also
makes sense, whether you are talking about internal resources or going to the cloud. Does that
makes sense?
Gardner: Sure, it does. So, getting it right means that you have more options in terms of what
you can do in IT.
Reed: Absolutely.
Gardner: That seems like a pretty obvious direction to go in. Now, Christian, we talked a little
bit about the technology's standard methods for approaching security and data protection, but
there is more to that cloud computing environment. What I'm referring to is compliance,
regulation, and local laws. And this strikes me that there is a gap maybe even a chasm between
where cloud computing allows people to go, above where the current laws and regulations are.
Perhaps you could help us better understand this gap and what organizations need to consider
when they are thinking about moving data to the cloud vis-a-vis regulation.
A couple of caveats
Verstraete: Yes, it's actually a very good point. If you really look at the vision of the cloud, it's,
"Don't care about where the infrastructure is. We'll handle all of that. Just get the things across
and we'll take care of everything."
That sounds absolutely wonderful. Unfortunately, there are a couple of caveats, and I'll take a
very simple example. When we started looking at the GS1 Product Recall service, we suddenly
realized that some countries require information related to food that is produced in that country
to remain within the country's boundaries.
That goes against this vision of clouds, in which location becomes irrelevant. There are a lot of
examples, particularly around privacy aspects and private information, that makes it difficult to
implement that complete vision of dematerialization, if I can put it that way, of the whole power
that sits behind the cloud.
Why? Because the EU, for example, has very stringent rules around personal data and only
allows countries that have similar rules to host their data. Frankly, there are only a couple of
countries in the world, besides the 27 countries of the EU, where that's applicable today.
6. This means that if I take an example, where I use a global cloud with some data centers in the US
and some data centers in Europe, and I want to put some private data in there, I may have some
issues. How does that data proliferate across the multiple data centers that service actually uses?
What is the guarantee that all of the data centers that will host and contain my data and its
replication and these backups and others are all within the geographical boundaries that are
acceptable by the European legislation?
I'm just taking that as an example, because there is other legislation in the US that is state based
and has the same type of approach and the same type of issues. So, on the one hand, we still are
based with a very local-oriented legislative body and we are there with a globally oriented vision
for cloud. In one way, form, or shape we'll have to address the dichotomy between both for the
cloud to really be able to take off from a legal perspective.
Reed: Dana, if I may, the bottom line is that data can be classed as global, whereas legislation is
generally local. That's the basis of the problem here. One of the ways in which I would
recommend folks consider this -- when you start talking about data loss, data protection and that
sort of stuff -- is having a data-classification approach that allows you to determine or at least
deploy certain logic and laws and thinking how you're going to use it and in what way.
If you go to the military, the government, public sector, education, and even energy, they all have
very structured approaches to the data that they use. That includes understanding how this might
be used by third parties and things like that. You also see some recent stuff. Back in 2008, I think
it was, the UK came up with a data handling review, which was in response to public sector data
breaches. As a result, they released a security policy framework that contains guidance and
policies on security and risk management for the government departments. One of the key things
there is how to handle data, where it can go, and how it can be used.
Trying to streamline
What we find is that, despite this conflict, there are a lot of approaches that are being put into
play. The goal of anyone going into this space, as well as what we are trying to promote with the
CSA, is to try to streamline that stuff and, if possible, influence the right people that are trying to
avoid creating conflicting approaches and conflicting classification models.
Ultimately, when we get to the end of this, hopefully the CSA or a related body that is either
more applicable or willing will create something that will work on a global scale or at least as
widely as possible.
Gardner: So, for those companies interested in exploring cloud it's by no means a cakewalk.
They need to do their due diligence in terms of technology and procedures, governance and
policies, as well as regulatory issues compliance and, I suppose you could call it, localization
types of issues.
7. Is there a hierarchy that appears to either of you about where to start in terms of what are the safe
types of data, the safer or easier types of applications, that allows you to move towards some of
these principles that probably are things you should be doing already, but that allow you to enjoy
some of the rewards, while mitigating the risks?
Reed: There are two approaches there. One of the things we didn't say at the outset was there are
a number of different versions of cloud. There are private clouds and public clouds. Whether you
buy into private cloud as a model, in general, the idea there is you can have more protections
around that, more controls, and more understanding of where things are physically.
That's one approach to understanding, or at least achieving, some level of protection around the
data. If you control the assets, you're allowed to control where they're located. If you go into the
public cloud, then those data-classification things become important. If you look at some of the
government standards, like classified, restricted, or confidential, once you start to understand
how to apply the data models and the classifications, then you can decide where things need to
go and what protections need to be in place.
Gardner: Is there a progression, a logical progression that appears to you about how to approach
this, given that there are still disparities in the field?
Reed: Sure. You start off with the simplest classification of data. If it's unprotected, if it's
publicly available, then you can put it out there with some reasonable confidence that, even if it
is compromised, it's not a great issue.
Verstraete: Going to the cloud is actually a very good moment for companies to really sit down
and think about what is absolutely critical for my enterprise and what are things that, if they leak
out, if they get known, it's not too bad. It's not great in any case, but it's not too bad. And, that
data classification that Archie was just talking about is a very interesting exercise that enterprises
should do, if they really want to go to the cloud, and particularly to the public clouds.
I've seen too many companies jumping in without that step and being burnt in one way, form, or
shape. It's sitting down and think through that, thinking through, "What are my key assets? What
are the things that I never want to let go that are absolutely critical? On the other hand, what are
the things that I quite frankly don't care too much about?" It's building that understanding that is
actually critical.
Gardner: Perhaps there is an instance that will illustrate what we're talking about. I hear an
awful lot about platform as a service (PaaS), which is loosely defined as doing application
development activities in a cloud environment. I talk to developers who are delighted to use
cloud-based resources for things like testing and to explore and share builds and requirements in
the early stages. At the same time, they're very reluctant to put source code in someone else's
cloud. Source code strikes me as just a form of data. Where is the line between safe good cloud
practices and application development, and when would it become appropriate to start putting
source code in there as well?
8. Combination of elements
Verstraete: There are a number of answers to your question and they're related to a
combination of elements. The first thing is gaining an understanding as much as you can, which
is not easy, of what are the protection mechanisms that fit in the cloud service.
Today, because of the term "cloud," most of the cloud providers are getting away with providing
very little information, setting up SLAs that frankly don't mean a lot. It's quite interesting to read
a number of the SLAs from the major either infrastructure-as-a-service (IaaS) or PaaS providers.
Fundamentally, they take no responsibility, or very little responsibility, and they don't tell you
what they do to secure the environment in which they ask you to operate. The reason they give
is, "Well, if I tell you, hackers can know, and that's going to make it easier for them to hack the
environment and to limit our security."
There is a point there, but that makes it difficult for people who really want to have source code,
as in your example. That's relevant and important for them, because you have source code that’s
not too bad and source code that's very critical. To put that source code in the cloud, if you don't
know what's actually being done, is probably worse than being able to make an assessment and
have a very clear risk assessment. Then, you know what the level of risk is that you take. Today,
you don't know in many situations.
Gardner: Alright, Archie.
Reed: There are a couple of things or points that need to be made. First off, when we think about
things like source code or data like that, there is this point where data is stored and it sits at rest.
Until you start to use it, it has no impact, if it's encrypted, for example.
So, if you're storing source code up there, it's encrypted, and you hold the keys, which is one of
the key tenets that we would advocate for anyone thinking about encrypting stuff in the cloud.
then maybe there is a level of satisfaction and meeting compliance that you have with that type
of model.
Putting the source code into the cloud, wherever that happens to be, may or may not actually be
such a risk as you're alluding to, if you have the right controls around it.
The second thing is that we're also seeing a very nascent set of controls and guarantees and SLAs
and those sorts of things. This is very early on, in my opinion and in a lot of people's opinion, in
the development of this cloud type environment, looking at all these attributes that are given to
cloud, the unlimited expansion, the elasticity, and rapid provisioning. Certainly, we can get
wrapped around the axle about what is really required in cloud, but it all ultimately comes down
to that risk analysis.
9. If you have the right security in the system, if you have the right capabilities and guarantees, then
you have a much higher level of confidence about putting data, such as source code or some sets
of data like that, into the cloud.
Gardner: To Christian’s point of that the publicly available cloud providers are basically saying
buyer beware, or in this case, the cloud practitioner beware, the onus to do good privacy, security
compliance, and best practices falls back on the consumer, rather than the provider.
Community clouds
Reed: That's often the case. But, also consider that there are things like community clouds out
there. I'll give the example of US Department of Defense back in 2008. HP worked with the
Defense Information Systems Agency (DISA) to deploy cloud computing infrastructure. And, we
created RACE, which is the Rapid Access Computing Environment, to set things up really
quickly.
Within that, they share those resources to a community of users in a secure manner and they
store all sorts of things in that. And, not to point fingers or anything, but the comment is, "Our
cloud is better than Google's."
So, there are secure clouds out there. It's just that when we think about things like the visceral
reaction that the cloud is insecure, it's not necessarily correct. It's insecure for certain instances,
and we've got to be specific about those instances.
In the case of DISA, they have a highly secured cloud, and that's where we expect things to go
and evolve into a set of cloud offerings that are stratified by the level of security they provide, the
level of cost, right down to SLA’s and guarantees, and we’re already seeing that in these
examples.
Gardner: So, for that cloud practitioner, as an organization, if they take those steps towards
good cloud computing practices and technologies, it’s probably going to benefit them across the
board in their IT infrastructure, applications, and data activities. But does it put them at a
competitive advantage?
If you do this right, if you take the responsibility yourself to figure out the risks and rewards and
implement the right approach, what does that get for you? Christian, what’s your response to
that?
Verstraete: It gives you the capability to use the elements that the cloud really brings with it,
which means to have an environment in which you can execute a number of tasks in a pay-per-
use type environment.
But, to come back to the point that Archie was making, one of the things that we often have a
tendency to forget -- and I'm as guilty as anybody else in that space -- is that cloud means a
tremendous amount of different things. What's important for customers who want to move and
10. want to put data in the cloud is to identify what all of those different types of clouds provide as
security and protection capabilities.
The more you move away from the traditional public cloud -- and when I say the traditional
public cloud, I’m thinking about Amazon, Google, Microsoft, that type of thing -- to more
community clouds and private clouds, the more important that you have it under your own
control to ensure that you have the appropriate security layers and security levels and appropriate
compliance levels that you feel you need for the information you’re going to use, store, and share
in those different environments.
Gardner: Okay, Archie, we’re about out of time, so the last question is to you and it’s going to
be the same question. If you do this well, if you do it right, if you take the responsibility, perhaps
partner with others in a community cloud, what do you get, what’s the payoff, why would that be
something that’s a competitive advantage or cost advantage, and energy advantage?
Beating the competition
Reed: We’ve been through a lot of those advantages. I’ve mentioned several times the elasticity,
the speed of provisioning, the capacity. While we’ve alluded to, and actually discussed, specific
examples of security concerns and data issues, the fact is, if you get this right, you have the
opportunity to accelerate your business, because you can basically break ahead of the
competition.
Now, if you’re in a community cloud, standards may help you, or approaches that everyone
agrees on may help the overall industry. But, you also get faster access to all that stuff. You also
get capacity that you can share with the rest of the community. If you're thinking about cloud in
general, in isolation, and by that I mean that you, as an individual organization, are going out and
looking for those cloud resources, then you’re going to get that ability to expand well beyond
what your internal IT department.
There are lots of things we could close on, of course, but I think that the IT department of today,
as far as cloud goes, has the opportunity not only to deliver and better manage what they’re
doing in terms of providing services for the organization, but also have a responsibility to do this
right and understand the security implications and represent those appropriately to the company
such that they can deliver that accelerated capability.
Gardner: Very good. We’ve been discussing how to manage risks and rewards and proper
placement of enterprise data in cloud-computing environments. I want to thank our two panelists
today. Christian Verstraete, Chief Technology Officer for Manufacturing and Distribution
Industries Worldwide at HP. Thank you, Christian.
Verstraete: You’re welcome.
11. Gardner: And also, Archie Reed, HP's Chief Technologist for Cloud Security, and the author of
‘The Definitive Guide to Identity Management’ and the upcoming new book, ‘The Concise
Guide to Cloud Computing’. Thank you, Archie.
Reed: Hey, Dana. Thanks for taking the time to talk to us today.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You’ve been listening
to a sponsored BriefingsDirect podcast. Thanks for joining us, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:
Hewlett-Packard.
Transcript of a sponsored BriefingsDirect podcast on how companies should approach and
guard against data loss when placing sensitive data in the cloud. Copyright Interarbor Solutions,
LLC, 2005-2010. All rights reserved.
You may also be interested in:
• HPs Cloud Assure for Cost Control Takes Elastic Capacity Planning to Next Level
• Cloud Computing by Industry: Novel Ways to Collaborate Via Extended Business
Processes
• IT Architects Seek to Bridge Gap Between Cloud Vision and Reality