Byte's original post: I don't think it's going to be a nightmare but rather we're going to have to change the way we think about things. In the end we still have to adhere to the same principles as before -- CIA -- to ensure corporate protection. I think CISCO is using a little FUDing here to drive some market share towards them. If we break it down..

1. We have to ensure security of the physical datacenter. This should already exist as a standard. Even when that physical datacenter (aka infrastructure in the video provided) is spread across multiple areas, there is always a physical component that needs to be looked after.

2. The application or virtual servers that run on the infrastructure still need protections. Either host based firewalls or networks for them to go out on. And either host based or network based virus protection (virus walls?). The scanning you mentioned, where one part of the cloud is heavily scanned while others are not is likely an indication of an outbreak (think viruses that affect humans -- recent swine flu outbreak shutdown many locations and nearly stopped all border traffic for Mexico for a while and CDC + others visited -- same principle).

3. Separation of networks. VLANs and good virtual switch design can ensure that an environment is kept sound. Firewalls, regular audits and monitoring are all things that should be done on a regular basis.

Quote Originally Posted by nihil View Post
The main issue is likely to be that you are putting control and security of your data and processing in the hands of a third party (that includes business continuity).
You do that already when you purchase anything from anyone today. I buy software from MS, Apple, etc. and I'm putting control and security into their hands (aka, I'm trusting them to build good, ethical software that won't phone home). If I go to a consultant to provide security audits for a company, then I'm trusting them to do a good job and be ethical -- whether they are 2 feet in front of me or 6000 miles away.

It is a question of trust in general. The internet, as a whole, has had this degraded over the last 15+ years or so. While not a true computing cloud (there's no control over which resources run and which don't during peak and non-peak times) it's a kind of cloud that has let trust erode from it's membership.

I can see problems with the next logical step, though, which is when the service providers try to maximise their profits by taking the actual provision offshore.

There is also the major issue of employee selection and vetting procedures?
The issue you're referring to, Nihil, really isn't cloud computing itself but rather who runs it and is it internal, external or both? A question of trust from the sounds of it. Running off shore in itself isn't an issue. It's how it's managed off shore and how are things verified off shore that is the issue. We're a global society now. For smaller organizations it makes no sense to run their own external cloud unless there is a reason for them to do so (e.g., legal requirements, health policy requirements, etc.). They can use existing environments or the precursor to cloud -- standard virtualization (whether host or hypervisor model).

There is a mythos that outsourcing to India and other locales automatically means that data is compromised but keeping it in the UK, USA or other "industrialized nation" means it's secure. Bullshit. There are just as many unethical administrators here in the industrial world as there is elsewhere. If I do not vet who I outsource to, regardless of their physical location, I do a disservice to myself, my company and, in some cases, may be breaking the law by not ensuring that standards are met.

If offshoring is a concern, then house the cloud yourself. Run your own cold/warm/hot site at your own physical location (75 miles away or whatever to account for major natural disasters). Use standard scanners (traditional AV on the servers -- physical and virtual) and standard firewalls. It will mean more work for you and less play time but at least it's not outsourced.

Like any other form of outsourcing, vet the company. Get them to provide a security report from a reputable and responsible firm. And if possible, get your own 3rd party do an independent audit. Visit the site they host and ask about their procedures for things like hiring, auditing of systems and people, etc.

If you just go ahead into the cloud and don't ask questions, well.. Caveat emptor, eh?



Quote Originally Posted by ByTeWrangler View Post
http://www.youtube.com/watch?v=QJncFirhjPg

Possibly the best video out there explaining Cloud Computing. I always compared it with virtualization but it’s not exactly the same. Anyway A MUST WATCH VIDEO.

That's a pretty good basic description. The key is, of course, the ability to access resources on demand and then disable (shutdown) those resources when not in demand (it always makes me think of a modified Beowulf cluster).

Traditional virtualization (e.g. VI3, Xen, Hyper-V) are the basic infrastructure needed to get to cloud computing. vSphere is closer to cloud than traditional virtualization. The ability to power off physical servers, VMs, etc. when resource utilization is low is on of the main features. The one thing that, IMO, is still holding us back is the fact the VM is still -- technically -- reliant on a single machine for it's "four food groups" (cpu, memory, network, disk). That may go soon, too, however, with the advent of FT for VMs (which I really like as a concept and for it's purpose).


Ultimately, one of the things I've noticed is that a lot of people look at cloud and they go "oooh!! Magic!!! It's so scary!!" <insert Gabriel Iglesias voice here> It's not. It's just changing some parts of how we do computing from a strict physical compartmentalization to a virtual compartmentalization to a cloud compartmentalization. We're not at the point of the neural networks (aka Star Trek) but we're moving towards it, baby-step by baby-step.