March 06, 2010, 10:19 PM — Like a fickle 12-year-old with a favorite pop band, the security industry has forgotten all about last year's fads and is focused on a new one: cloud computing.
This was exceedingly evident at this week's RSA Conference in San Francisco, which boasted significantly improved attendance including actual users and buyers.
It all made for a fun game of cloud bingo: start the timer when a vendor briefing begins and wait until you hear the word "cloud" – then jump up and shout "bingo" (not an original idea -- Bruce Schneier publishes an excellent RSA bingo card). Fortunately it was not a drinking game, otherwise I would have risked alcohol poisoning. Few vendors made it past the 10-minute mark.
Cloud is the latest frontier of security marketing, if not of actual products or customer deployments. As our research shows, less than 1% of the people who participate have deployed anything in an infrastructure-as-a-service (IaaS) cloud, though we do see quite a bit of adoption in software-as-a-service (SaaS).
RSA President Art Coviello observed that this may be the first time the industry has started working on the security problems before the technology is mainstream. In a way, this is a welcome departure from the usual state of affairs where security is a long delayed afterthought.
For companies that already use IaaS cloud (such as my company Nemertes Research), the issues of security are not mere philosophical musings. We have to soberly examine the inherent risks and build compensating controls.
Cisco's Chris Hoff opened the Cloud Security Alliance Summit at RSA with an excellent presentation on this topic, delivering a pragmatic assessment of the issue of cloud security. For Hoff, the question "Is the cloud secure?" is pointless, and "Compared to what?" is the only sensible answer. In Zen Buddhism, a "koan" is a philosophical question that cannot be answered but invites introspection -- "what is the sound of one hand clapping?" The Zen answer to such questions is "mu", which means "your question has no meaning". Let's all practice saying "mu" because the topic of cloud computing will create many opportunities for us to un-ask these meaningless questions.