The Public Eye with Eric Chabrow

Making the Case for a Secure Cloud

Skeptics Want to Be Persuaded that Cloud Computing Is Safe
Making the Case for a Secure Cloud

The cloud can - and in minds of some will - be as secure as other forms of computing. That's a key takeaway from the RSA Conference 2012.

Many skeptics exist and understandably so; the cloud has a lot to prove in terms of security. Still, even skeptics want to believe in the cloud's security.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

That was evidenced by an RSA session entitled How to Launch a Secure Cloud Initiative, which I co-presented with the IT chief technology officer at NASA's Jet Propulsion Laboratory, Tom Soderstrom, who is proving in a deliberate, methodical approach, that the cloud can be secured. My guess is that some 200 IT security specialists attended. I've attended many conferences in my career, but I rarely saw as many people lined up after a presentation as I did with this session to speak with the presenter, and it was Tom, not me, they wanted to address.

What Tom is doing with his colleagues at JPL isn't rocket science - he leaves that to others - but an orderly process in which the lab's business, information technology and IT security staffs collaborate to test, pilot and deploy secure - and effective - cloud computing solutions. Borrowing from a process from JPL's deep-space probes, the lab developed what it calls a Wheel of Security, in which types of information are classified to determine the security each bit and byte needs.

"One of the key things is, and I can't emphasize how important this is, you only learn by doing," Soderstrom said in a video interview I conducted with him at RSA (see below). "We couldn't jump to mission critical in the cloud without going through the steps of trying to see how it works in the organization, which cloud vendors work. The key is to put the data and the processing in the most appropriate place."

rsa2012_Tomas_Soderstrom_640x360

An intriguing approach JPL takes to test cloud security is to treat non-sensitive data as if they were sensitive so lab team members will know how to secure information it deems confidential. "We learned our processes, how to work with our legal, compliance and auditing, and once we're comfortable, we'll put the data in that cloud," Soderstrom said. "As we get more comfortable with that, we treat it as if it were to the next level of security. Then we put it in there. It is a way of keeping moving forward: walk, crawl, run. It's a journey."

JPL is years away from placing classified and its most sensitive data on the cloud, but Soderstrom is convinced one day the NASA unit will. Now, he said, JPL feels comfortable placing vital export control information on the cloud.

Skepticism about cloud security remains strong. Preliminary findings from a survey we're conducting here at Information Security Media Group, and unveiled at our RSA session, reveal that respondents - mostly IT security professionals - wouldn't place critical business systems on the cloud. One-third say flatly no when asked if they would, and nearly another third respond perhaps, but not within 12 months. Fewer than one in five respondents say they would place critical business systems on the cloud. Yet, these security professionals want to be convinced. Nearly 20 percent say they plan to move one or more critical business systems to the cloud within a year. The fact that elements of cloud computing can be secure is gaining adherence.

"The cloud is a game changer." Soderstrom said. "It's an unstoppable force."

* * *

The survey remains open, so if you haven't taken it, please do. Here's a link to the 2012 Cloud Computing Security Survey.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.