Cloud Security Alliance in favor of open standards- regulatory agencies to feel economic pressures to open to cloud.
Very interesting conversation with Nils Puhlmann, a co-founder of the Cloud Security Alliance originally about the DTMF initiative for open standards, but went out and about a bit; here are three nuggets which I was interested to hear about:
Security: Puhlmann is of the opinion that a) as much transparency as possible would have direct benefits to cloud providers, since “If you do everything well, why would you not want to show your customer?”.
He feels that customers would actually be more likely to buy into vendors that could show best practice security under some kind of standards model, since it would free customers from glacially slow and costly audits and testing- enterprise could buy into a public cloud without a hitch under the right conditions(read: bomb-proof security standards) and b) “within 12 months we will see many things in cloud security that will have completely failed,” either through backing the wrong horse in terms of security model or through market forces that ebb away from a chosen track.
He thinks that consensus on cloud security will emerge in baby steps as the marketplace learns what works and what doesn’t and what pays off and what doesn’t.
Compliance: Puhlmann says, “What we see for some companies,” that have regulatory oversight, “are compliance rules that rely on the notion that you have complete control over your data,”which, if you are using public clouds, is patently untrue.
But enterprise wants to use public clouds, small and midsize companies that interact with regulated agencies will want to use it; Puhlmann points out that the $19B Electronic Health Records initiative, for instance is “simply not going to happen without cloud” technologies.
FIM: Puhlmann raises hopes of a universal federated identity model, since as data gets more and more distributed, “a good federated identity standard would provide the means to track and control who has access to your data across private enterprise and the public cloud.” and believes it’s a problem that remains unsatisfactorily addressed, cloud or no cloud, but this drive toward IaaS might provoke a more catholic solution.
And the long and short of addressing a lot of these concerns lies in the hands of the agencies that regulate so much of the data about us personally.
Puhlmann thinks that dollars and sense are going to come to a head much quicker than many anticipate, since the poor economic climate is driving an awful lot of fence sitters off the palings and into the clouds, and then,”economic pressure will become so immense that regulators will have a big lobby standing behind them to force them to act,” to catch up to cloud technologies and enact regulations that allow controlled data to exist in public cloud infrastructures.
And who am I to doubt him? A reporter, so of course I doubt him, and this is well-considered analysis, not factual reporting, but from a common-sense perspective, everything he says holds water, and it’s going to be terrifically interesting to see what happens with the cloud rubber meets that federally regulated road.