I’ve researched virtualization security as it has evolved over the past several years, and I’ve come to the conclusion that Cloud Security (which is quite similar conceptually to virtualization security to begin with) will follow the same evolution:
Phase I: Organizations are focused on how to use the Cloud securely. That’s pretty much where we most of us are now.
Phase II: We start moving some of our security controls to the Cloud. This gained traction in 2009 and will be big in 2010. For example, web security gateway functions – see the “Cloudification” section in my post on the Top Six Trends for 2010.
Phase III: Using the Cloud to do things better than we can with our own on-premises equipment. Not only because Cloud-based computing should be an inherently more secure computing model, but for using the Cloud in ways that we can’t readily do with on-premises equipment. I’d be interested in your examples in addition to a few from my list:
- Building more accurate models and heuristics of malware and malicious activity based on broad visibility and having more computing power to perform the analysis
- Massively parallel static analysis of source code and binaries
- Security that roams with the user as they move among networks we don’t own or control.
- Real-time ‘reputation services’ that correlate information across multiple logical entities simultaneously – e.g. IP addresses, user identities, URLs, email and file objects.
That’s just a few of the emerging applications I envision.
No doubt, getting our usage of cloud-based computing secure is foundational. But that’s just the beginning of what is possible.