Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Cloud Computing Will be More Secure

by Neil MacDonald  |  November 9, 2010  |  5 Comments

I presented a session exploring this provocative point of view at Gartner’s US Fall Symposium titled “Why Cloud Computing Will be More Secure Than What You Have Today”. This Wednesday afternoon presentation was a part of Gartner’s “Maverick Track” where presentations that challenge conventional wisdom are provided for clients. If you attended Symposium and weren’t able to make the session, all of the presentations are available online as well as (for the first time) videos of every session.

Interestingly, on Thursday of that week at Symposium we had the chance to ask Steve Ballmer this question on stage during our mastermind interview session. Essentially, we asked him “Cloud Security – Oxymoron or Achievable?”. His answer – Achievable. You can see the longer version on the link enclosed. Essentially, his point was there was too much money at stake and that the market potential would spur innovative approaches to solving this problem.

I agree.

Here’s two recent examples. Trend Micro has introduced a new technology called SecureCloud based on technology it had acquired from Identum. Basically, think of this as full drive encryption for the Cloud. By using an agent (kernel driver) loaded into each VM, all traffic written to and from the Cloud provider’s storage is automatically encrypted. This keeps the Cloud provider’s staff from directly seeing your data, but is transparent to your applications running at higher levels within the VM. Of course encryption alone means nothing without control of the keys. Here’s the really interesting part of their innovation – in phase I your keys are stored in Trend Micro’s data centers. In phase II, the keys can be stored in your own data center. I’ve blogged about this beforeif the Cloud providers doesn’t have your keys, they don’t have your data.

Microsoft is trialing a technology called the “Windows Azure Platform Appliance” (WAPA) which allows larger enterprises and service providers to become a part of the Microsoft Azure Cloud fabric, but while maintaining compute and storage locally in an “appliance” (don’t let the name throw you, these are not toaster-sized appliances – think Winnebago! – with roughly about 1,000 CPUs in the current version). My colleague Tom Bittman and I explore WAPA in detail in this recent research note for clients along with recommendations for when it should be considered. WAPA will help enterprises to address security concerns where data needs to be held locally for security and/or regulatory concerns. Microsoft is just an early example. There will be other cloud providers that offer a local appliance option over time.

There are many more examples.

The point is that innovation is alive and well and that most of the concerns enterprises have about the security of Cloud computing will be addressed over the next decade — many of them within the next few years – just as happened with the adoption of the Internet starting in 1994.

5 Comments »

Category: Cloud Cloud Security Virtualization Security     Tags: , , , , , ,

5 responses so far ↓

  • 1 Saqib Ali   November 9, 2010 at 11:07 am

    Neil,

    Trend Micro’s approach is interesting. However, I am not clear on whether the decryption keys (in Phase II) ever travel to Trend Micro’s data centers for decryption of data for processing. If that is the case, than it kinda defeats the purpose of retaining the keys in-house.

    Also, I don’t quite the like the idea of local appliances. From a security perspective it may look good, but from an auditing perspective it will only work if the Document are clearly labeled with confidentiality requirements, and Role Based Access Control is enforceable. This is rarely the case at most enterprises. There are better ways than local appliance to approach this.

    Saqib

  • 2 Neil MacDonald   November 9, 2010 at 8:34 pm

    Saqib, I’d ask Trend for the details – but my understanding in phase II, the Trend data center is out of the picture.

    On local appliances – what other approaches do you suggest? Most organizations do have Active Directory and use RBAC for many systems, servers and such. Many integrate AD into VMware for RBAC for example. I’m not sure what you mean my document confidentiality requirements. We don’t have this today in most cases with our on-premises file servers, NAS devices and SharePoint servers so how does a Cloud appliance make this any worse?

    Neil

  • 3 Lani Refiti   November 9, 2010 at 9:07 pm

    Neil, I agree with the premise that Cloud will be more secure. There is some great, innovative technology being developed as you mentioned.

    However the point I make is that there is going to be so much dollars invested into Cloud services, controls/technology to secure this investment is almost a given. From a business perspective it is no longer a question of \Are you going to deploy Cloud services\ to \When are you going to deploy Cloud services\

    As the saying goes \Necessity is the mother of all invention\

  • 4 Neil MacDonald   November 10, 2010 at 10:57 am

    Lani,

    Yup. Agree. There is too much money at stake and lots of creative, innovative people trying to solve these problems.

    The observation that Cloud is a question of “When” and not “If” is exactly the same dicussion about adoption of the Internet I had with clients back in the 1994-1996 timeframe.

    When does it make sense and for what type of workloads?

    That’s the question we need to be answering.

    Neil

  • 5 Aidan Herbert   November 15, 2010 at 12:35 pm

    The TPM (Trusted Platform Module) offers a lot of value for this type of application. The TPM enables secure key migration and enables use of the key on the remote platform without exposing the hey outside the TPM hardware.
    TPMs are available on many server platforms.

    Use models include:
    -Strong cryptographic machine identity
    -Remote secure measurements and attestation
    -Secure key migration
    -Key protection