A Commentary and Essay by Ron Knode
Have you ever been in a race? I ran a lot of races during my competitive track and field career at the U.S. Naval Academy and during the dozen years thereafter. Every one of them started with the commands “On your mark … Get set … GO!” Usually a starter’s pistol would fire on the “GO” command, but it was clear that the race was underway, and all of us were finally off and running for the prize of victory.
I was a pretty good runner, and I won my share of collegiate and post-collegiate races. But I learned very early that no matter how good I was at the “On your mark” part of the command, or how well prepared I was for the “Get set,” what really mattered was the “GO” part of the command. It is the “GO” that makes the race happen and the prize possible. Can you imagine a race where we have only “On your mark … Get set …” and nothing else? The runners (good and bad) would be stuck at the starting line forever. No amount of training or coaching or preparation could deliver any payoff.
The same reality holds true for cloud processing. If we are to reap the benefits promised through the global computing utility model offered by the cloud, then we must get to the “GO” command and start competing for payoffs. To be sure, preparation and planning (“cloud payoff training”) are necessary, but such preparation must not become an excuse for unnecessarily delaying cloud processing as a part of our enterprise IT strategy or for avoiding the cloud altogether.
Clearing the Security Hurdle
The state of cloud security is often mentioned as the hurdle most likely to prevent a “GO” command for enterprise cloud processing. Yet in two recent conferences we saw again that the state of cloud payoff training for secure cloud service delivery and consumption is well able to boost us over that hurdle. In fact, the cloud security preparation already done by early cloud researchers, users and providers can be used to make us all better competitors in the race for payoffs with cloud processing. We have learned and trained well to combine real cloud security capabilities with a dynamic service transparency that delivers “evidence-based confidence that what is claimed to be happening is indeed happening … and nothing else.”  This combination has been the ultimate target of our cloud payoff preparations, and we can now declare ourselves “fit” to start the capture of promised cloud service payoffs.
The NIST-sponsored Cloud Computing Forum and Workshop IV offered a variety of updates, orientations, panel discussions and true working team events, all of which were primarily targeted at secure cloud computing for the U.S. government. I participated in one of the more provocative panel discussions entitled “Security Assumption Busters.” Although we dealt with about a dozen different assumptions about cloud security, perhaps the most important one to be busted was the withering notion that “nobody understands my cloud security needs.” The consequence of such a notion leads over and over to what has been termed the “genesis syndrome of cloud security,” that is, the (mistaken) belief that the enterprise must begin its own cloud security journey from scratch. Although it is true that any enterprise can probably find some business or mission need that represents a distinctive characteristic in its cloud security requirements, we have long proceeded past the point where such operational distinctions force us to start our cloud preparations with a root event and a clean slate.
For example, the work of the Cloud Security Alliance (CSA) in preparing a complete cloud Governance, Risk and Compliance (GRC) stack lifts every enterprise well beyond a genesis start. Furthermore, the continuing work of the CSA in the sustained evolution of the Cloud Controls Matrix (CCM), the Consensus Assessments Initiative (CAI), CloudAudit and the capstone CloudTrust Protocol (CTP) means that today we can take advantage of cloud payoff training that will keep us in shape to pursue payoffs with cloud processing tomorrow. In addition to the GRC work, the CSA also supports the drive for cloud payoffs with agile and practical research into a trusted cloud architecture (with CTP-supported transparency), security metrics for a cloud service, cloud data governance, a free and open cloud Security, Trust, and Assurance Registry (STAR) and even a CloudSIRT. Finally, the NIST results themselves that were announced and made available at the NIST forum also provide substantial training material that readies us to compete for cloud payoffs.
The CSA held its own conference shortly after the NIST forum. My next post will be about the additional cloud payoff training regimen presented there.
Continued in Part 2