Like a fickle 12-year-old with a favorite pop band, the security industry has forgotten all about last year's fads and is focused on a new one: cloud computing.
This was exceedingly evident at this week's RSA Conference in San Francisco, which boasted significantly improved attendance including actual users and buyers.
It all made for a fun game of cloud bingo: start the timer when a vendor briefing begins and wait until you hear the word "cloud" – then jump up and shout "bingo" (not an original idea -- Bruce Schneier publishes an excellent RSA bingo card). Fortunately it was not a drinking game, otherwise I would have risked alcohol poisoning. Few vendors made it past the 10-minute mark.
Cloud is the latest frontier of security marketing, if not of actual products or customer deployments. As our research shows, less than 1% of the people who participate have deployed anything in an infrastructure-as-a-service (IaaS) cloud, though we do see quite a bit of adoption in software-as-a-service (SaaS).
RSA President Art Coviello observed that this may be the first time the industry has started working on the security problems before the technology is mainstream. In a way, this is a welcome departure from the usual state of affairs where security is a long delayed afterthought.
For companies that already use IaaS cloud (such as my company Nemertes Research), the issues of security are not mere philosophical musings. We have to soberly examine the inherent risks and build compensating controls.
Cisco's Chris Hoff opened the Cloud Security Alliance Summit at RSA with an excellent presentation on this topic, delivering a pragmatic assessment of the issue of cloud security. For Hoff, the question "Is the cloud secure?" is pointless, and "Compared to what?" is the only sensible answer. In Zen Buddhism, a "koan" is a philosophical question that cannot be answered but invites introspection -- "what is the sound of one hand clapping?" The Zen answer to such questions is "mu", which means "your question has no meaning". Let's all practice saying "mu" because the topic of cloud computing will create many opportunities for us to un-ask these meaningless questions.
The cloud pragmatist will have to weigh the relative security of a cloud as compared to alternatives such as hosting, co-location or his own data center. The cloud is a platform shift that forces us to re-focus on the tried-and-true approaches that we have been discussing for at least a decade: data-centric and identity-centric security, the perimeter-of-one model, the need for audit and assurance.
On the topic of audit and assurance, one of the more interesting elements of the Cloud Security Alliance Summit was the A6 workgroup, which aims to "to provide a common interface that allows providers to automate the audit, assertion, assessment and assurance of their environments and allow authorized consumers of their services to do likewise via an open, extensible and secure API across SaaS, [platform-as-a-service] and IaaS offerings." Pay attention to A6 -- it could be a very useful standard.
RSA 2010 is a promising indicator for the year: palpable enthusiasm, excitement and activity, and real users actually interested in buying stuff. A big change from 2009.