ORLANDO -- Executives from two of the industry's top cloud computing providers opened the 2013 Cloud Security Alliance Congress Wednesday by not only enumerating the virtues of cloud security, but also by making the case for why a cloud-based IT infrastructure is more secure than the IT operations enterprises manage themselves.
Keynote speaker Teresa Carlson, vice president of the worldwide public sector division of Amazon Web Services (AWS) Inc., said cloud computing defies the long-held logic of the "iron triangle" of project management, which states that a project can only be completed by attaining two out of the possible three options of cheaper, faster and better.
With cloud computing IT projects, Carlson said, all three are possible, with the addition of security.
Tom Soderstrom, chief technology officer of the NASA Jet Propulsion Laboratory (JPL), has stated that JPL's data is more secure in the cloud than it was in its own data center, and findings from an IDC September 2013 survey indicated that nearly 60% of enterprises believe their cloud providers' security capabilities are better than their own.
Carlson, a speech pathologist by trade before her meteoric rise as a government IT executive at Microsoft and later AWS, said that improved security starts with a baseline level of infrastructure security, specifically hardened hypervisors and hardware.
"I hear from startups and SMBs [small- and medium-sized businesses] all the time that they can't find security professionals," Carlson said. "They need security by default at the infrastructure level and up, but with us, they feel there's a whole layer they don't need to worry about anymore."
Carlson offered several additional reasons for what she called the systemic superiority of cloud security over traditional IT security. At the top of the list was the integration of compliance and security, which she said is being enabled through the Cloud Security Alliance's (CSA) effort to standardize provider certifications, documentations, auditing and other business process elements that streamline the security aspects of compliance attestation.
Carlson also claimed that a cloud provider can often adapt more quickly to changing business needs than traditional IT departments. As a result, AWS and other cloud providers can not only quickly respond to a compliance- or security-related concern, but they can also standardize necessary modules or controls so all their customers can benefit, simultaneously reducing the process exceptions that raise costs.
Co-speaker Mark Ryland, chief solutions architect with AWS' public sector division, proclaimed that the cloud offers greater visibility into IT assets than traditional IT infrastructure. In an AWS environment, Ryland said enumerating every cloud instance is a matter of a simple application programming interface call, where discovering and analyzing the security status of systems historically has been far more tedious.
As another security advantage, Ryland cited the homogeneity of the cloud, particularly tools for provisioning from a baseline image with built-in security capabilities, defining asset classes and using them as the basis of security policy, and reducing "asset creep" by restricting cloud users to launching specific pre-configured systems.
Microsoft addresses cloud data privacy
The elephant in the room, namely the extent to which cloud providers may be susceptible to -- or even complicit with -- government spying, wasn't ignored. Keynote speaker Adrienne Hall, general manager of the Trustworthy Computing group at Microsoft, surprisingly devoted the majority of her time on stage to how the software giant protects customer data from governments.
Many have recently questioned the information assurance practices maintained by U.S.-based cloud providers following the series of disclosures earlier this year by former National Security Agency (NSA) contractor Edward Snowden, specifically in light of allegations that the NSA works with cloud providers to build backdoors into their systems to access customer data.
Referencing a blog post written by Microsoft General Counsel Brad Smith stating that Microsoft does not cooperate in any government data-sharing arrangements, Hall said Microsoft takes the security and privacy of its customers' data "extremely seriously" and its Azure cloud service group only responds to verified legal demands.
"To be more specific, we don't provide governments with complete, unfettered access to data. We respond legally when required to do so," Hall said. "We also don't assist governments with breaking encryption keys, and we don't engineer backdoors into our products. … If there is a large surveillance program, we're not involved in any such program."
Going further, Hall went on to say that to date Microsoft has not provided data about a business or government customer in response to a national security order. She said the software giant also, as a matter of policy, always informs any customer affected by any legal request it receives.
Separately, Hall said Microsoft is working hard to fight the common cloud security "perception gap" by evangelizing the way in which it has extended its long-standing security development lifecycle to Azure, as well as its trust centers, the company's involvement in the Cloud Security Alliance STAR program, and numerous certifications and attestations.
Ultimately, Hall said, the majority of enterprises will come to the same conclusion as respondents from a CommScore survey it commissioned earlier this year, in which 94% of respondents indicated experiencing security benefits in the cloud that they hadn't expected.
"We don't see security going away; it [has] just moved to more of a vendor responsibility," Hall said. Enterprises are "taking the money they would've spent in house and [are] applying those IT resources [to] other things or deeper security-related investments in other parts of the business."
Attendee Joseph Atkinson, IT program director for CA Technologies Inc. in Islandia, N.Y., said that while cloud computing does have its security advantages, whether it's a more secure option for an organization depends on the specifics of its IT infrastructure requirements and its risk tolerance.
Atkinson said his company is researching cloud providers and cloud security because of a demand from specific business units, as well as a desire to take advantage of the cloud internally. He fears that many enterprise IT teams move too slowly on cloud computing due diligence, and as a result, individual business units begin using cloud services without the proper IT hand holding that's needed to keep the organization and its data secure.
"Business units like IT that runs at the speed of business and satisfies their customers quickly," Atkinson said. "If we can't provide the solutions quickly, they're going to do it themselves."