Skip Links

The trust issue front and center at RSA Conference

By Sean Martin, CISSP, Imsmartin Consulting, Network World
March 23, 2011 10:41 AM ET

Network World - A large number of sessions, vendor pitches and hallway chatter at the recent RSA conference in San Francisco revolved around "cloud security", everything from securing public cloud environments to securing private cloud virtual machines, and from securing operations and data in the cloud to delivering cloud-based security applications and services. But the common theme appeared to center on that elusive thing called trust.

The suggestion was that, because we've decided to put our information, applications and infrastructures in the hands of cloud providers, we all of a sudden have to worry about trust. The reality is we've always had to worry about trust. Unfortunately, most businesses have opted to blindly trust in the absence of being able to prove that the trust was, and is still, warranted. Have we all conveniently forgotten about the insider threat?

To be fair, some of the sessions in the Cloud Security Alliance (CSA) Summit did speak to the fact that trust was not enough. This group is certainly on the right track, but some of the discussions stopped a bit short as they looked to traditional methods for mitigating the risks related to relying on trust in the cloud; things such as utilizing traditional perimeter-based protection measures, security monitoring processes, working to meet increasingly stringent regulatory guidelines, and relying on newly formed reputation services.

Meanwhile, the "Cloud Trust Authority" vision, as presented by RSA's CTO Bret Hartman, while a great stride forward in terms of removing a lot of the fears associated with moving business processes to the cloud, also requires placing trust in a third party. Certainly this initiative and others like it will help secure the cloud. Will it be enough for organizations to unequivocally prove that the cloud is in fact secure?

Credit must be given to the United States government as Vivek Kundra, the U.S. Federal CIO made it clear that proof of cloud security is paramount to the U.S. government's ongoing IT strategy. During his presentation, Kundra spoke to a number of initiatives geared toward moving large numbers of government systems and applications to the cloud.

"With the number of U.S. government data centers growing from 482 in 1998 to nearly 2,100 in 2010, [moving] in the opposite direction as the rest of the U.S., it is clear that something has to change," Kundra said. "It is anticipated that of the $80 billion spent yearly on IT across various agencies, $20 billion will be invested in moving data centers to the cloud." Kundra was energetic as he called upon the cloud security community to get innovative as the U.S. government braces for the "Cloud First - here comes $20 billion!" initiative.

Turning deeper to security and trust in the government space, Joyent Chief Scientist, Jason Hoffman, referenced an article quoting Debora Plunkett, head of the NSA's Information Assurance Directorate. "We have to build our systems on the assumption that adversaries will get in," Plunkett said. In the same article, Gartner Analyst John Pescatore adds, "Basically, unless the hardware and software was built by NSA and has NSA-approved tamper protection, it can't be trusted. Since even the NSA has to use commercial hardware and software, their own environments can't be trusted!"

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News