To view our tutorial, click on a question then watch and listen to the answer
|
|
|
|
Ask the Tutor a Question
Got a question? Click here to email it to the tutor. We'll publish the answer, so be sure to include your Internet Evolution Username so you get credit for the question.
Video Tutor David Vellante
Video tutor David Vellante is an advocate for IT professionals, and a practitioner actively using social networks to foster collaboration and a sharing of free advisory knowledge. Mr. Vellante is also a former CEO, founder of three startups including The Wikibon Project, and is a former SVP of IDC's largest business.
Questions, and Answers from the Tutor
Question: Since cloud security is so complicated, how long do you think it will take before we really see a move to mission-critical cloud apps? Two years more? Three? Five?
Answer: First, here are my definitions of application classes.
Class 1: Development; file and print; small data marts, small-scale applications; database servers
Class 2: Medium-scale applications and database servers; data marts; small customer relationship management (CRM); small data warehouses; messaging (Exchange, etc.)
Class 3: Mission-critical applications; enterprise CRM; enterprise resource planning (ERP); large-scale online transaction processing (OLTP); large-scale database serve; large-scale messaging
Class 4: Large-scale applications requiring highest levels of availability, security, and recover-ability
Click here to see the attributes of those classes.
Classes 1 and 2 are going to the cloud today. Class 3 is very limited today -- I would say three to five years or more. Class 4 is 10 years away or more.
Question: David, you say that the cloud, in effect, expands the boundaries of the data center, with multi-tenant arrangements within the cloud more vulnerable to external threats. How will specific, "sensitive"
verticals -- banking, healthcare, and others -- be persuaded to take advantage of the purported benefits of cloud security if the threatscape is in fact larger than something more partitioned and locked-down?
Answer: Thanks for the question, Amy. The answer is very carefully and slowly.
It will start with use cases where information risk is low; e.g., certain file shares, maybe test and dev work, or backup for non-sensitive data and perhaps some overflow capacity in limited cases. But I believe there's some "invention required" before such organizations are comfortable putting sensitive data in the cloud.
Question: What five security-related questions should potential customers ask when shopping for cloud services?
Answer: Here are 10 to get you going:
- What are the processes used to protect and secure data?
- How do you handle multi-tenant security?
- Where is the data stored physically?
- Who has access to the data?
- How is it audited, and how often?
- Can I see a typical audit trail?
- How do you handle event management?
- What's the penalty for a breach?
- What's the liability limit in the contract for the service provider?
- What other firms that are using your services can I speak with?
Question: In Q10, you seem to be making the "Wal-Mart" argument in favor of clouds. But can all companies benefit from the security of the cloud and just drop all internal security products and personnel?
Should we assume that the cloud will only augment and assist the measures we have in place? Or should I be polishing my resume and preparing to relocate?
Answer: I see cloud computing as including the so-called private cloud, i.e., internal data center infrastructure. In my view, this infrastructure will evolve using cloud technologies that bring on-demand, pay-as-you-go models to the internal data center. I believe that internal security products and personnel will play a critical role in delivering cloud security -- particularly with respect to moving workloads off site and (importantly) bringing them back in-house.
So the answer to your (excellent) question is most definitely augmentation, with the understanding that the internal measures will evolve to leverage cloud-like security models for internal infrastructure. Examples include security templates being deployed in a virtualized shop (internal cloud) and the more rapid distribution of patches to virtual machines.
Question: Your points cover the possibility of corrupted or deleted data being restored to a previously known, good point in time that does not jeopardize data that has been changed legitimately since that time. But what about the "real worst case scenario," in which hardware is lost, the program that generated the data in question is gone along with all the registry settings, and external links and DLLs that made it function are lost?
Most backup solutions make one full backup and never look back at those keys again. The data is still safe and sound. But without that, the application might as well be on the moon. I'm not suggesting that cloud security overlooks this event, but all backup solutions seem to ignore it. Or did I miss something?
Answer: It’s a question of RPO; recovery point objective.
Organizations with very stringent RPO requirements would make a full, synchronous replication of their data center, including the application. Further, organizations may even take the step of creating a third, asynchronous infrastructure in an effort to create a zero- or near-zero data loss environment.
It comes down to how much you're willing to pay.
Web Wise World Poll: Cloud Computing Security
|
