|
Although only a handful of people in the 500-plus person opening main session for SecTor 2009 raised their hands when asked if they had responsibility for securing their employers’ cloud efforts, presenter Christopher Hoff had a bold prediction for the rest of his audience.
“The rest of you, by this time next year, will all be doing so,” he said.
Hoff, a 15-year veteran of the security business and blogger focused on virtualization and cloud computing security, opened the show at the Metro Toronto Convention Centre with an overview of the challenges around securing the broad and all-encompassing cloud.
The biggest challenge, Hoff said, was the fact that the cloud was, by its nature, Internet-based, and “the Internet is a remarkably frail operating system,” based on loose handshakes and trust. Hoff said that the technology industry is “product rich and solution poor” when it comes to security
“Our answer has always been the firewall and SSL, and that’s simply not going to work,” Hoff said. “The security industry is hard-coded on the wrong set of capabilities at the wrong time.”
The move to hosted software (Software as a Service) hosted infrastructure (infrastructure as a Service) and hosted platforms (platform as a service) will mean IT has to address a variety of models, each with their own challenges. While SaaS offers a fair bit of security because it’s a single, locked down application, it offers lesser ability to integrate with other products. Platform as a service is more extensible because it’s based on APIs that allow access, but ultimately less secure out of the box, and IaaS swings the other way from SaaS, offering a great deal of flexibility and extensibility, but a much murkier path to manageable security.
|
