Security often comes up as the number one concern of IT managers looking at cloud computing scenarios. How will security come to the cloud? The answer is that the path to building acceptable cloud computing security will likely go through the same route taken by SOA governance, XML gateways and XML firewalls, according to a Gartner analyst.
"People will extend the idea of SOA governance boxes out to the cloud," said John Pescatore, vice president and research fellow, Gartner. He spoke at the recent Gartner AADI summit in Los Angeles, where other presenters also suggested that SOA methods will be important in next-generation cloud computing applications.
Surely, one of the benefits the XML appliances to date has been that they are largely dedicated to security concerns. They isolate security concerns from infrastructure operations, which has come to be just generally 'a good thing' to do when it comes to building-in security.
Separating the security concerns is key. Pescatore emphasizes: The highest security approach is to keep security separate from the operational infrastructure.
Keep security separate from cloud, advises Pescatore. Separate security infrastructures are appropriate in the enterprise today, he says, and this does not change in the new world of cloud computing.
As an example of keeping things seprate, Pescatore points to a US Navy sub's use of Amazon EC2. Mainframe-class information is encrypted and stored on the cloud, but the bits are never decrypted there.
"In the world of software we've gone 20 years without being able to trust infrastructure," quips Pescatore. "Put firewalls in place," he adds.
Meanwhile, as cloud security best practices develop, we may see more use of established but sometimes foreign techniques. One of the techniques emerging as a best practice for cloud computing security is tokenization, according to Pescatore. This has proved to have merit for dealing with Cloud Data Governance issues, allowing enterprises to store sensitive information locally, while allowing other data and data pointers to be stored in the cloud. Tokens stand in for mission-critical data, keeping the information safe.
While 'fear of cloud security' will be with us going forward, we should recall the similar hue and cry associated initially with SOA. "When we first rolled out SOA, the security people were aghast," recalls Pescatore. Maybe a look at SOA precursors for cloud computing will lead some people more quickly to a warmer, comfier feeling with the cloud.