I am heading over to Jersey City tonight to attend an meeting on Cloud Security, organized by IOActive. Despite Hoff's best efforts, cloud security confuses me. I understand information security and I understand "The Cloud" as well as most other people do (which isn't saying all that much), but I fail to see how combining the two suddenly make a completely new field that is worthy of all the buzz it gets.
We have been dealing with outsourced business functions for a long time and most organizations are used to doing it; some have even gotten quite good at it.
Reading the Cloud Security Alliance's document titled Security Guidance for Critical Areas of Focus in Cloud Computing.
If you have not read that document yet, go do it now. If anything, the
architectural framework defined in it is very worth while and I hope it
will bring the Cloud playing field to adopt similar terminology when
talking about identical things.
Keeping in mind Hoff's distinction between the three architectural layers (Infrastructure as a Service, Platform as a Service, and Software as a Service) clearly helps in shaping our perception of risks associated with outsourcing a business function, and it will support defining our responsibilities as an outsourcing organization.
The document provides guidance on how to direct existing efforts to facilitate Cloudification. There isn't all that much in there that is truly new.
The fact that we are struggeling with this shows once more that our field is young and emerging, and that we haven't really even reached adolesence. It is a fun time, but as with all new things, stepping back every now and then to reflect what's going on should also be a priority.