Invoking the spirit and words of the great French author and fellow compatriot Victor Hugo, Symantec’s VP for product development said, “In life it’s much easier to say you love someone than to trust someone”. The same can be said for IT and management’s love of cloud computing and its economic benefits, yet the largest obstacle to larger uptake remains trust in cloud services.
“There is no market for the cloud business unless we can trust it”, Popp added.
Popp reviewed two primary reasons why enterprises have fallen in love with the cloud: the economic drivers, which are very compelling from a business perspective, and the simplification cloud provides, reducing the complexity of services.
Security, however, remains a significant concern he noted. “The security issues are non-traditional. They are different than the threat models we are used to dealing with”.
Listed among these threats, according to Popp, are rogue administrative privileges, the mixing of different organizational data, and losing control over a network you no longer own.
“We need security fopr the cloud”, he implored, “otherwise we operate under a pray-as-you-go model”.
He then laid down a framework for how security pros can move from just loving the cloud, to actually trusting in cloud services. It includes four key points, among them a uniform governance policy across all cloud providers; a baseline certification for providers, or “PCI for the cloud”; reliability monitoring for service-level agreements; and compliance verification.
Identity is critical to developing trust in the cloud, according to Popp, because IT departments may not control the device, the application, the infrastructure, or the data storage, but IT can still control identity access.
Popp favors the creation of so-called “identity brokers”, who will be responsible for enabling one single identity across all cloud services, or a single sign-on corporate ID.
Symantec’s Popp believes we can eventually can get to “in cloud we trust” by implementing various “trust brokers” that ensure verified identity and access to cloud services, trust in that the information is properly protected, verified monitoring , and provider controls through certification.
“Identity and access management is still the one thing we can control”, Popp concluded. “If we do all of these things, we will basically raise the level of security, and the level of trust, to a very acceptable level.”