In cloud computing lately, trust seems to be on everyone's mind.
Alan Murphy of the Virtual Data Center blog points to the dynamic nature of the cloud as a reason why there will need to be more "trust" between customers and vendors:
So moving forward, as the security people tear apart the (in)security of cloud computing, the rest of the world will just need to take that leap of trust. A lowering of our standards for what we can control in the cloud's outsourced data model.
As an end user, it kills me, but I know I have to make those sacrifices, if I want to use those services. So I have to modify my level of trust, and apply new and stronger safeguards to the rest of my work flow processes (personal and professional) to make sure I'm able to recover if/when there is a massive breach that's beyond my control.
My recovery is something I can control, and I definitely trust myself.
Chris Hoff of the blog Rational Survivability responds by pointing out that if more trust means less security, we've got a problem:
In simply closing our eyes, holding our breath, and accepting that in the name of utility, agility, flexibility, and economy, we're ignoring many of the lessons we've learned over the years, we are repeating the same mistakes and magically expecting (that) they will yield a different outcome.
A few months ago, I sat through a very cool "unsession" at the Cloud Summit Executive in San Jose, Calif., in which the conversation ranged across an incredibly broad range of cloud-related subjects. I wrote about that session not long after, but I was reminded of it again, after a conversation with Alan Cohen, in which he articulated his belief that what every enterprise wants from the cloud revolves around a single word.
Throughout the cloud summit session, that same word kept rising to the surface, time and time again: trust.
Trust is at the heart of the resistance that many enterprise customers have with the cloud. Take the cloud skepticism of SearchDataCenter.com's Chuck Goolsbee. Among many concerns he has with the cloud-computing model, he points to applications that must pass Payment Card Industry muster. PCI standards are thorough and intense, and Goolsbee doesn't think that the cloud is up to the task:
So can any of this be trusted to a cloud? I doubt it. A cloud is amorphous and indistinct. It is layer seven, abstracted from all the lower layers. You can't audit a cloud. It is virtual. Sure, we all know that it translates to a physical manifestation at some point, but can you touch it?
Can you audit, with absolute certainty, its file systems, logs, and physical access? Can you be absolutely certain that it is physically secure? Can you be absolutely certain that its virtualized file systems are not mingled on a physical disk with somebody else's data?
Absolute certainty is required for compliance. You can't find absolute certainty out there in a cloud, by definition.
Did you catch that first sentence? To Chuck, PCI in the cloud boils down to trust. Folks like Murphy and Hoff, who talk about cloud security, are obviously talking about trust. Those worried about data ownership are worried about trust--as in "I don't trust such a critical asset to anyone but my own company."
Those interested in "cloud sprawl" are worried about trust--as in "how can I trust that my employees aren't wasting my money or putting my data in harm's way?" CFOs worry about trusting that cloud bills will stick to some predictable budget over the course of a year.
But trust is being addressed in the cloud, as we speak. Rich Miller of Data Center Knowledge outlines a response to Goolsbee's PCI concerns, and he points to a very important post by Michael Dahn of the PCI Blog. Michael Sheehan at GoGrid responds to several of Goolsbee's other points.
I'm not saying that all trust issues (even all the ones Goolsbee outlines) are handled now, or will clearly be handled in the next year or two. Rather, I note that no enterprise seems eager to commit key applications to the cloud without security and control--both trust issues. Entrepreneurial opportunity abounds to solve trust issues.
One of the biggest contributors to trust solutions in the cloud will likely be your network service provider--both old-school carriers and new-wave mobile networks pushing into that market.
Imagine an explosion of new network services that build trust into your service, without the requirement to alter application or infrastructure architectures. Technologies that give the enterprise complete trust in the integrity of their cloud data and workloads. New business models that simplify federated cloud computing while increasing security.
Before anyone is willing to make a firm commitment the cloud, they have to trust it. I understand that need. The good news is that most of the cloud market does too, and this market will survive based on its ability to gain it. You can bet that trust will be the focus of a lot of innovation in 2009.