After the panel discussion, the focus shifted towards the security
aspects of Cloud Computing. These sessions were covered by Anil Nama, Vice
President- Solutions and Innovations, CtrlS and Ajay Porus, Organizer and
Director,Cloud Security Alliance, Hyderabad Chapter. I was personally quite
excited about this session as I had some hands-on experience on handling
security issues in my previous organization when I was a part of the Business
Continuity Planning Team.
Anil focussed on the Network Infrastructure and talked at length
about Tier IV infrastructure and the need to build it from scratch. Tier IV
data has been considered to be more robust and less prone to failures. You can learn more about the Tier IV data
center services offered by CtrlS here. He posed a critical question of responsibility
for security when convergence of multiple layers happens at the last mile.
He also talked about
various certifications such as 1) ISO 20000 2) ISO 27001 3) BS 259999 that are
often mandated by clients to be complied with for mitigating the risks posed by
technology and a host of other vulnerabilities. He further added that these
certifications become an added service layer for the organization. I couldn’t fully appreciate his entire talk as
I couldn’t fully understand some of the essential technicalities that were
intricately connected with his presentation. He addressed Identity Federation
and its importance in the security context, something I could appreciate much
later when I read about it here.
He elaborated on the need for setting up ITIL
in place, addressing the specific challenges it imposed on Cloud Security. He also
talked about the security evaluation through seven levels of EAL Certification
and especially, the seventh level( EAL 7) which addresses the issues of Cloud
Security. While addressing the security layers, he stressed on the need to
focus on the different layers of security, viz., 1) Information Assurance 2)
Physical 3) Communication Security 4) Operations Security 5) System
Safety/Rehabilitation.
I was able to appreciate the next talk by Ajay Porus as it wasn’t
too technical and I could appreciate some of the security aspects. He talked
about the need to establish Cloud CERT (Emergency Response Team) as a part of
the Disaster Recovery Team. He also talked about the Cloud Security Alliance and the various initiatives that are being taken as a part of the Alliance.
Cloud
Security Alliance has its offices across Mumbai, Hyderabad, Chennai and
Bangalore, with each office specializing in one technology. While CSA Chennai focussed
on Virtualization while CSA Bangalore focussed on Compliance issues. He introduced
Cloud Controls Matrix, which helps in assessing the security risk of cloud
providers.
Some of the other interesting initiatives that were discussed were
- Trusted Cloud Initiative – Series of best practices that have been adopted in the industry along with training, research and certification to provide secure, interoperable identity in the cloud.
- Certificate of Cloud Security Knowledge issued by CSA to assess security specialists on their cloud security competency.
He offered a bird-eye view
of the cloud specific security aspects ranging from insecure APIs, Traffic
Hijacking, Nefarious Use of cloud services and the importance of information life cycle management. He gave a brief overview about PCI Compliance, which can be implemented by the user himself and European Data Protection Act
I was quite excited about Open Source in Cloud session, especially in the Indian context because I had doubts whether they were very much nascent in India. One of my friend who is working at IBM Research Labs pointed to me that there is quite a frenzied activity around Open Source hypervisors and management stacks built around those. Although deployed solutions might not still be all over the place, but the technology that makes a cloud deployment possible is very much mature with Open Source too.
MV Madhu, Managing Director, Wilshire Software in his session talked about four major players which are prominent in the Open Source space.
1) Cloud.com
- Elastic Host can be used via remote
- Only a small part of EC2 API implemented since Open Nebula Beta
3) Eucalyptus
- Fully API compatible to Amazon EC2
- Includes Walrus, S3 Compatible Storage Device Service
4) Open QRM
- Single Management Console
- Support for Multiple Virtualization technology
- No Vendor Lock-ins
He personally favored Cloud.com due to its advantages such as 1) Hypervisor Independence 2) Virtual Resource Management features. Audience also pointed out the lack of support available in Open Source, which prompted them towards proprietary technology.
The next session on Open Source Cloud was undertaken by Sukanta Basak, Sr. Solutions Architect, RedHat India. He talked about the convergence of various laws such as Metcalfe's Law, Kryder's Law and Fiber Law which were driving the Cloud Computing phenomenon. He also talked about the evolutionary shift happening from Virtualization to Private Cloud to Public Cloud. He explained in detail about Red Hat Enterprise Virtualization. He added another perspective in the difference between Virtualization and Cloud where the former consists of Hardware abstraction and the latter involves resource abstraction. He also talked about the necessity of Abstraction Layer to manage scale.
Prior to the sessions on Open source, there was an interesting panel discussion on the deployment challenges involved in Cloud Computing. I have covered most of the issues that were discussed in the previous posts. Some of the additional take aways from the discussion were
a) Risks are not posed by technology per se, but by persons and processes involved in the adoption and implementation of technology
b) Laxmi Narayan Rao talked about greener side of Cloud Computing. However, I have some reservations in this, as I have come across research which debunks the whole notion of green technology in Cloud Computing. Simon Wardley, one of my favorite Cloud gurus explains the misconception involved beautifully here.
c) Data insecurity often amplifies and grows exponentially. Hence it is critical to understand the security aspects of Cloud computing.
d) CIOs have been late in adopting new technology due to the perceived loss of control. Support services have also not been adequately developed in this sector, which explains most of the reluctance in moving towards the Cloud.
e) Evolving nature of regulations were discussed. In UK, regulations have been imposed which state that the data should reside physically in one of the systems within the continent. Since data often resides across continents, decisions are taken based on cost considerations.
f) Amit Saha, Global Head of Data Quality and Integration, Novartis spoke brilliantly and added the pharmaceutical industry perspective and cogently explained the criticality of the voluminous data that are generated every day through the sophisticated life-saving instruments that are plugged through the patients. He candidly admitted the necessary conservative attitude towards new technology owing to the immense risk involved.
f) Amit Saha, Global Head of Data Quality and Integration, Novartis spoke brilliantly and added the pharmaceutical industry perspective and cogently explained the criticality of the voluminous data that are generated every day through the sophisticated life-saving instruments that are plugged through the patients. He candidly admitted the necessary conservative attitude towards new technology owing to the immense risk involved.