RSA Keynote: Cloud's Future Depends on Security
People must be able to trust the cloud, RSA president says.
Cloud computing has the ability to complete the transformation of information technology that was started by the Internet, but its success depends on security, said Art Coviello, RSA president and EMC Corp.'s executive vice president, on Tuesday in his opening keynote of this week's RSA Security Conference.
"The journey to the cloud is inevitable, and we are going to have to secure it," he said.
Cloud computing has the ability "to make sweeping changes in the infrastructure" by freeing organizations of the need to spend two-thirds of their IT budgets on basic expenses. Instead, they can invest in resources on-demand, he said. "But we have to be careful we don't end up in security hell."
Scott Charney, Microsoft's vice president of trustworthy computing, said cloud computing has new implications for the company's 9-year-old Trustworthy Computing Initiative. It moves the goal of end-to-end trust out of the PC or the enterprise and into a new environment where no one entity has access or authority. Identity authentication and privacy will be the key elements in enabling cloud computing, Charney said.
RSA has announced an initiative with VMware, Intel and Archer Technologies to enable the visibility into cloud security that will be required to ensure that policy and regulations can be enforced in the virtual environment. Microsoft has announced that it is making cryptographic algorithms for its U-Prove minimal disclosure ID management scheme available for use under an open source license.
Coviello said the security industry has the opportunity to ensure that security is built into cloud computing from the beginning so that it can be used to its full potential. "People must be able to trust the cloud," he said.
In this early phase, there is little critical information and few critical applications being used in the cloud, so security requirements have not yet been demanding. But as adoption expands and risks increase, "security will get pushed down the stack, deep into the virtual layer," he said. As resources are outsourced, the ability to enforce and document policies, and demonstrate regulatory compliance will be needed, he said.
The movement of data into a virtual environment not controlled by individuals requires a rethinking of how we approach identity management, Charney said. Enabling security along with privacy requires the ability for a user to prove the minimum necessary information about himself during a transaction, without exposing unnecessary information. That is the purpose of the U-Prove scheme. It is "claims-based" identity system based on proving certain claims about the user without including the entire identity if not necessary.
Charney warned there are also social, political and legal issues that will have to be addressed as more data moves into the cloud.
"The cloud has the ability to alter the balance of power between the individual and the state," he said. "Everything will go to the cloud. Government and litigants can go to the cloud and get that information without coming to the individual."
William Jackson is the senior writer for Government Computer News (GCN.com).