Walking in the Clouds - Cloud Computing Summit 2010 - Part III

After the panel discussion, the focus shifted towards the security aspects of Cloud Computing. These sessions were covered by Anil Nama, Vice President- Solutions and Innovations, CtrlS and Ajay Porus, Organizer and Director,Cloud Security Alliance, Hyderabad Chapter. I was personally quite excited about this session as I had some hands-on experience on handling security issues in my previous organization when I was a part of the Business Continuity Planning Team.

Anil focussed on the Network Infrastructure and talked at length about Tier IV infrastructure and the need to build it from scratch. Tier IV data has been considered to be more robust and less prone to failures.  You can learn more about the Tier IV data center services offered by CtrlS here.  He posed a critical question of responsibility for security when convergence of multiple layers happens at the last mile.  

 He also talked about various certifications such as 1) ISO 20000 2) ISO 27001 3) BS 259999 that are often mandated by clients to be complied with for mitigating the risks posed by technology and a host of other vulnerabilities. He further added that these certifications become an added service layer for the organization.  I couldn’t fully appreciate his entire talk as I couldn’t fully understand some of the essential technicalities that were intricately connected with his presentation. He addressed Identity Federation and its importance in the security context, something I could appreciate much later when I read about it here

He elaborated on the need for setting up ITIL in place, addressing the specific challenges it imposed on Cloud Security. He also talked about the security evaluation through seven levels of EAL Certification and especially, the seventh level( EAL 7) which addresses the issues of Cloud Security. While addressing the security layers, he stressed on the need to focus on the different layers of security, viz., 1) Information Assurance 2) Physical 3) Communication Security 4) Operations Security 5) System Safety/Rehabilitation.

I was able to appreciate the next talk by Ajay Porus as it wasn’t too technical and I could appreciate some of the security aspects. He talked about the need to establish Cloud CERT (Emergency Response Team) as a part of the Disaster Recovery Team. He also talked about the Cloud Security Alliance and the various initiatives that are being taken as a part of the Alliance.

 Cloud Security Alliance has its offices across Mumbai, Hyderabad, Chennai and Bangalore, with each office specializing in one technology. While CSA Chennai focussed on Virtualization while CSA Bangalore focussed on Compliance issues. He introduced Cloud Controls Matrix, which helps in assessing the security risk of cloud providers. 

Some of the other interesting initiatives that were discussed were

He offered a bird-eye view of the cloud specific security aspects ranging from insecure APIs, Traffic Hijacking, Nefarious Use of cloud services and the importance of information life cycle management. He gave  a brief overview about PCI Compliance, which can be implemented by the user himself and European Data Protection Act

I was quite excited about Open Source in Cloud session, especially in the Indian context because I had doubts whether they were very much nascent in India. One of my friend who is working at IBM Research Labs pointed to me that there is quite a frenzied activity around Open Source hypervisors and management stacks built around those. Although deployed solutions might not still be all over the place, but the technology that makes a cloud deployment possible is very much mature with Open Source too.

MV Madhu, Managing Director, Wilshire Software in his session talked about four major players which are prominent in the Open Source space.
1) Cloud.com 
  • Elastic Host can be used via remote
  • Only a small part of EC2 API implemented since Open Nebula Beta

  • Fully API compatible to Amazon EC2
  • Includes Walrus, S3 Compatible Storage Device Service
 4) Open QRM
  • Single Management Console
  • Support for Multiple Virtualization technology
  • No Vendor Lock-ins
He personally favored Cloud.com due to its advantages such as 1) Hypervisor Independence 2) Virtual Resource Management features. Audience also pointed out the lack of support available in Open Source, which prompted them towards proprietary technology. 

The next session on Open Source Cloud was undertaken by Sukanta Basak, Sr. Solutions Architect, RedHat India. He talked about the convergence of various laws such as Metcalfe's Law, Kryder's Law and Fiber Law which were driving the Cloud Computing phenomenon. He also talked about the evolutionary shift happening from Virtualization to Private Cloud to Public Cloud. He explained in detail about Red Hat Enterprise Virtualization. He added another perspective in the difference between Virtualization and Cloud where the former consists of Hardware abstraction and the latter involves resource abstraction.  He also talked about the necessity of Abstraction Layer to manage scale. 

Prior to the sessions on Open source, there was an interesting panel discussion on the deployment challenges involved in Cloud Computing. I have covered most of the issues that were discussed in the previous posts. Some of the additional take aways from the discussion were

a) Risks are not posed by technology per se, but by persons and processes involved in the adoption and implementation of technology

b) Laxmi Narayan Rao talked about greener side of Cloud Computing. However, I have some reservations in this, as I have come across research which debunks the whole notion of green technology in Cloud Computing.  Simon Wardley, one of my favorite Cloud gurus explains the misconception involved beautifully here. 

c) Data insecurity often amplifies and grows exponentially. Hence it is critical to understand the security aspects of Cloud computing. 

d) CIOs have been late in adopting new technology due to the perceived loss of control. Support services have also not been adequately developed in this sector, which explains most of the reluctance in moving towards the Cloud.

e) Evolving nature of regulations were discussed. In UK, regulations have been imposed which state that the data should reside physically in one of the systems within the continent. Since data often resides across continents, decisions are taken based on cost considerations. 

f) Amit Saha, Global Head of Data Quality and Integration, Novartis spoke brilliantly and added the pharmaceutical industry perspective and cogently explained the criticality of the voluminous data that are generated every day through the sophisticated life-saving instruments that are plugged through the patients.  He candidly admitted the necessary conservative attitude towards new technology owing to the immense risk involved.