This has been one seriously busy couple of weeks. Between major changes at work, post-RSA wrap up and reviewing the initial material from the Cloud Security Alliance there has been a lot going on!
Trend Micro Acquires Third Brigade
The company I have been working for, since it started nearly five years ago has signed a definitive agreement to be acquired by Trend Micro. As you can imagine this is a pretty exciting time for us and the reaction in the press and community has been very positive. I'm personally looking forward to this new era and excited about what we will produce. We have been working with Trend over the last 18 months on the Intrusion Defense Firewall and I firmly believe this deal will result in even better products to come. (Press Release) (Media/Analyst Teleconference)
RSA Wrap Up
Digging through the post RSA aftermath takes some time, though there are some worthy nuggets of information. After reviewing all of the keynotes I missed I highly suggest checking out Brian Smith from TippingPoint as he introduces an interesting method of making multiple products work together more effectively. I also recommend watching the Qualys keynote, Philippe Courtot does a really good job of putting security as a service in perspective.
If you missed RSA there are some good summaries out there including Anton Chuvakin's four part series (I, II, III, IV) and Ben Tomhave's summary. Dan O’Neill does a good job of summarizing what was for me, the main event (and I agree, it was unfortunate that it lacked the sumo suits).
Cloud Security Alliance
I finally had the opportunity to read the first document from the Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Computing". If you are not familiar with the CSA, it is a grassroots effort to facilitate the mission to create and apply best practices to secure Cloud computing. This first document tackles the critical job of providing definitions for cloud architecture and coverage of 14 domains related to Cloud computing.
Anyone familiar with Rational Survivability will find the Cloud architecture domain familiar as Christofer Hoff has used his blog to vet most of the material present here. Moving beyond the architecture discussion is critical and I sincerely hope this will serve as the defacto standard, it certainly is the most comprehensive and vendor neutral way to define the Cloud I have seen (though I do see discrepancies in the definition of databases as IaaS or PaaS).
The other domains are very much initial material to start the discussion. Having expert authorship in each of the areas was an excellent way to start (Disclaimer: My CTO, Brian O'Higgins contributed domain 15 on virtualization), however an important second version of the document will be developed through community involvement later this year. I'm looking forward to the second version where more industry experts have an opportunity to contribute thereby balancing and enriching the material.
I strongly encourage anyone with a stake in Cloud computing to get involved. They will be looking for additional volunteers in a wide variety of capacities soon.
I am still reading through the CSA guide, but the one thing I struggle with is the practical application of this guidance. While it's very comprehensive collection of a the topics that concern cloud security, are the security practitioners expected to demand that their cloud providers adopt all recommendations?
There are real security concerns about moving enterprise data into the cloud, but it seems like guidance of this sort would actually slow responsible cloud adoption, rather than accelerate it.
More thoughts on the subject:
http://blog.alertlogic.com/?p=270
Posted by: Misha | May 2, 2009 at 12:40 PM
These are good points and I would tend to agree, however I think its necessary to slow down and ensure that this guidance is followed. Particularly in the legal, compliance and application security domains there is a lot to verify before jumping on board cloud offerings.
It's going to be a growth process like anything else, however I would hope a year from now certain domains would translate into compliance requirements for the providers so that you can easily tell if they properly support issues like interoperability without each organization needing to do deep due diligence themselves :)
It's just the start, but I'm glad someone is running the race!
Posted by: Justin Foster | May 2, 2009 at 01:24 PM
By the way Misha, I'm the guy in blue in the middle of your photo at the CSA launch :)
http://blog.alertlogic.com/?p=270
Posted by: Justin Foster | May 2, 2009 at 01:39 PM
There is now a Google Group to provide feedback on the first version of the document:
http://groups.google.ca/group/cloudsecurityalliance
Posted by: Justin Foster | May 5, 2009 at 07:26 PM