Overcoming Fear of the CloudJeff Reich, University of Texas, San Antonio
It's time to tackle that fear head-on, says Jeff Reich, Director of the Institute of Cyber Security at the University of Texas, San Antonio. In an exclusive interview on cloud computing and virtualization, Reich discusses:
- What's most misunderstood about virtualization and cloud;
- How to overcome the biggest barriers to widespread adoption;
- Easy wins for organizations taking their first steps.
Reich is the Director of Operations with the Institute for Cyber Security at the University of Texas at San Antonio and serves as the Chairperson of the South Texas Information Security Leadership Council. He is a Founding Member of and Group Leader and Section Author for the Cloud Security Alliance. Previously, he built and maintained security and risk management programs at Rackspace Hosting, CompuCredit, Interland, CheckFree, Dell Computer Corporation and ARCO Oil and Gas Company. Reich has been actively involved in the Information Security community for some time. He was the Director of Education for the InfraGard Capitol of Texas Chapter. In addition, he is a past president of the ISSA Capitol of Texas Chapter and was the Vice President of the ISSA Metropolitan Atlanta Chapter.
TOM FIELD: To get us started here, why don't you tell us a little bit about yourself and your background please?
JEFF REICH: Certainly. I've been here at the Institute of Cybersecurity at University Texas San Antonio for a little over a year, and we have a focus that deals with security research. That is basic research -- the typical academic research, as well as applied research, which results in the innovations and come along with community outreach, education, and training. I really enjoy the opportunity to do this here. Prior to this, I've had Chief Security Officer or equivalent positions at two different hosting companies. I started the information security program at Dell Computer Corporation, and I've worked at a couple financial services companies and at an oil company. So this is what I've been doing for quite a while. I've spent the last few years focusing a bit more on virtualization and cloud computing.
FIELD: Well, you get a great perspective from the institute. When you look at virtualization and cloud computing, what is most misunderstood about them in the marketplace?
REICH: I think there are two things that are most misunderstood about virtualization and cloud computing, and I use the terms separately because virtualization is a key component of cloud computing, but cloud computing is much more than simply virtualization. Virtualization in and of itself says that you are going to use computing power virtually, as if it was hardware dedicated to what you were doing. That certainly gives the economy of scale and other benefits for ease of configuration. Cloud computing uses a lot of those principles, but also has some additional characteristics that focus on elasticity and a set of metrics that can go along with it, and on demand provisioning with little or no human interaction. So it takes virtualization to another level, and one of the things that is most misunderstood about this is that cloud computing in particular is thought to be failsafe, as in everything is out in the cloud. People sometimes think there is no hardware involved ... and as a result it will never fail. So it's one thing to keep in mind, cloud computing is not limitless. Every cloud has its own boundaries. So it's not necessarily whose problem, but that is probably the first basic misunderstanding there.
The second one is that cloud computing and virtualization are always cheaper than doing traditional dedicated hardware, and in most cases that is probably true. One of the reasons that it ends up being true is that you give up a lot of things when you go to virtualization and working cloud that you have with a physical datacenter that you may manage yourself. Not all of those things you are giving up are necessarily good or bad to give up, but there are some things that you are giving up that inherently come with controlling your own hardware that you don't get when you are sharing resources with other customers of the cloud.
FIELD: So Jeff, you are in a good position to see the marketplace, and certainly I talk with lots of people in financial services especially that talk about going to the cloud, but there seems to be a barrier. What do you see as the barriers to widespread adoption of virtualization on one hand and cloud computing on the other?
REICH: Okay, well I'm going to bunch the two of them together for the barrier, because I think they are going to be very similar. And it is really only one barrier, but it breaks into two major components. The barrier is fear, and fear usually results from the unknown. So right now, to most people, virtualization to a degree but cloud computing very much so, is the big unknown. People don't know how to define it. They don't know what it necessarily really means. They don't know what the impact is going to be them, and they don't know what the long term effects are going to be from using it. So there is certainly the fear of "I don't know what it is; I can't go up and touch it, so I don't really know how to understand it." That is one of the biggest barriers I believe.
The second one is, once people get past that a bit, the next biggest barrier people want to face with, and this what I see all the time is, "How do I know it's secure, how can I trust it? I'm using a shared environment with a bunch of other people that I don't even know, and it's being managed by someone who doesn't work for me, and how can I have any level of assurance that people aren't seeing my information that my information isn't leaking somewhere else?" It's not being infiltrated with other data, it's not being changed without my knowledge, and in some cases those fears can be well-founded, but they can all be addressed.
FIELD: Well, let's talk about how they are addressed. How do you see these barriers typically overcome an organization, and I particularly would emphasize that last one because it's a common one I hear - "How do I know I'm secure?"
REICH: Well, you know I've worked at two different hosting companies. One of which is a cloud provider, and being the Chief Security officer there, I would often have to respond to my counterpart and the potential customer saying, "Why should I trust you?" Or "How do I know I'm going to be secure?" It wasn't a matter of personal trust, at least I hope it wasn't. The answer I would always give is, "Well, how do you know that the environment in which you are working now is secure?" To be perfectly frank, 80% of the respondents gave a "Well, here's why because I had a SAS-70 audit and this happens. Did I meet these requirements?" And I could almost to a letter say, "Well, we do the same thing here at the cloud provider, however the difference is you can still go in and look, and touch, and lock a door, and have a level of control that may or may not be false that you can depend on that you won't have in cloud computing." So before you worry about it overcoming the barriers about security with cloud computing, make sure you have a clear understanding of what concerns you have for computing in general, and what objectives you want to have met and what objectives you need to have met, and then it should become relatively easy for you to determine: Can a cloud provider or building your own cloud meet those objectives? In some cases, cloud computing may not quite be mature enough to do some of those.
FIELD: So for organizations that have gotten off the fence here and are dipping their toes into cloud computing or virtualization, what do you find to be some of the either low hanging fruit or easy wins that they can do to justify their investment in their business case?
REICH: I think the first thing you do is if you want to get in cloud computing, which I by the way support. I am founding member of the Cloud Security Alliance, and believe cloud computing is the next evolution for how computing is going to work in general. The first thing you could do is, as I said, you have to outline what your objectives are. What your requirements are, and what your desires are, and clearly map with either the cloud that you build for yourself and a private cloud, or a cloud provider that you subscribe to. To say, can you meet these and how? And assuming that you can get past that, the next thing I would recommend is -- and I heard you say dipping their toes into it, and in all honesty that might be the right approach right now. Depending on what you do, you may not want to dive in head first because if you have, if you are under the governance of things like PCI data protection or HIPAA requirements, and a bunch of other disclosure requirements that you may be subject to, to not only affect control but report if you have a suspected disclosure ... you might not want to lead with that information first. And it's not because the cloud can't be secure, but it's a new environment for you. Most enterprises don't take their most critical assets and put it in a brand new environment that hasn't necessarily had time to mature yet. The cloud is without a doubt, still maturing a lot. So there are a lot of applications that should be user-safe that give you quick on-demand provisioning, elasticity and the capabilities to grow and shrink as the needs are, and you pay as you go so your investment can be minimized; your upfront investment can be minimized. That makes sense for cloud computing, but for static storage of data that has to be sensitive and controlled, unless you are dealing with your own private cloud, I would say that may be something that is probably worth waiting on a bit.
FIELD: Jeff, we've had a number of organizations that have got their feet wet in cloud computing especially. What's beyond the easy wins? What is the next stage for these organizations that have seen some of these early successes?
REICH: Well, I think for organizations that have good or early successes in the cloud, they are going to find the big benefits they've seen so far has been ease of growth, at least as much growth as they drive the cloud is going to be able to support it, and dynamic configurations and a universal delivery of their applications to their users. You know the cloud by definition -- if you used the definition of the cloud, cloud computing is going to have your biggest delivery across the web, which means on your handheld or on the web browser or on a tablet machine, it's going to look and feel the same and have the same delivery of information and content.
They are seeing those wins now, which with traditional web applications would be much more cumbersome and slower to deliver. So I think that is the first wins that a lot of organizations are seeing so far.
I think the next step is to take what was in many cases, subscribing to a public cloud and creating a hybrid cloud, which has some private cloud that they control. In other words, all those same characteristics, but they can control it themselves, along with a public kind of infrastructure that they already subscribe to, and start putting some of their more sensitive applications or information that has greater disclosure requirements into the private cloud, so you can still take advantage of all the scalability and price advantage of the public cloud and mix it with where your more sensitive areas are. Find a way to blend those two, and you're just starting to see that happen now.
FIELD: Jeff, a final question for you. We're close enough now we can start to see 2011 in the windshield up ahead. What do you see as some of the key trends in virtualization and cloud computing?
REICH: That is a good question. I think in the area of virtualization, what we've seen over the past few years is operating system virtualization. You can take a piece of hardware with a little power behind it, and generate a number. It's still a finite number, but a number of finite operating systems or finite virtual machines within that hardware, and have it appear as if you have a larger computer capability. You make better use of your hardware and you have a lot more flexibility as to how you can run what and where. One of the big constraints still is the IO associated with and costs associated with storage, information storage, disc storage. I think you are going to see more and more adoption of virtualized storage in the same way you saw virtualized operating systems become available. The price point for those will come down, I think, to a point where many enterprises will want to get into that, if they aren't already in 2011.
When you combine virtual machines with virtual storage, you now have what can be a much more portable environment that gives you the opportunity to mix and match your cloud computing dividers or cloud environment you create yourself and move all those applications around, because none of them are really going to be tied to hardware anymore. So I think you're going to see a much more portable environment. I also think you're going to see more and more cloud customer requirements or demands to say, "Here's how I want you to demonstrate to me that my privacy controls that I'm putting in place can be counted on, and related security controls." I think those are the two big ones you're going to see coming up in 2011.