March 11, 2011, 12:17 PM — Microsoft sees cloud computing as so central a part of the future of the IT industry and to its own fortunes it is, once again, pushing a set of behavioral and technical specifications designed to set standards for security in the cloud.
The intent is first to secure the data and applications of customers and second to create a broad-based trust in cloud computing as a category to encourage customers to begin moving their IT resources there in greater numbers, according to the Microsoft exec responsible for pushing its Cloud security initiative.
"It's really as big a shift for IT as the shift from mainframes to computers," according to Adrienne Hall, general manager of Microsoft's Trustworthy Computing group, said in an interview.
Trust is a key element both in convincing executives to approve the move and for IT people making the deals with cloud-services companies, she said.
Microsoft's plan is a set of processes called the Security Development Lifecycle (SDL), which is designed to create documented, auditable, traceable processes to help service providers or end-user companies to develop secure software for any environment.
In the cloud, SKL provides the transparency customers need to be able to trust that the service providers they hire use systems, custom code, networking protocols and virtual infrastructures that meet a customer's security requirements, and processes to let customers make sure those requirements continue to be met.
Secure code is only one small part of what makes customers feel secure in cloud deals, however, according to most surveys, which site vendor lock-in, shared-server hosting arrangements, clear SLA definitions that lay out what the security responsibilities of both customer and vendor really are, and the availability of the skilled programmers, sysadmins and NOC staffers they need to build, maintain and manage complex cloud environments.
Forrester's James Staten lays out most of those issues in relation to the restrictions of PAAS vs IAAS clouds, SAAS apps and infrastructure issues.
In his predictions for the cloud in 2011, Staten makes clear that there are a lot of competitors for the "cloud computing security standard," and that none are either comprehensive enough to be a slam dunk or have attracted enough followers to be a likely one-takes-all winner.