The Cloud Security Alliance Central Eastern Europe Summit gave a good opportunity to learn about the Cloud Computing market in areas of Europe that are less reviewed. The congress, held in the center of the old city of Ljubljana, provided interesting mixture of Information Security professionals along with various cloud providers and end users coming to explore the news in this dynamic world of cloud computing.
And the news was definitely coming in a storm. First speaker for the morning was Raj Samani, EMEA CTO for McAfee who gave an interesting look at the eco-system of Cybercrimes. In an excellent performance, Mr. Samani described how the cloud models are also propagating into the Cyber Crimes ecosystems. “Cyber Criminals today do not need to be a disturbed computer genius”, he explained, “All you need to have is a credit card”.
Cybercrimes usually containthree components: Research, CrimeWare and infrastructure. All those components can be acquired in the same models of cloud services as we know from our daily life, McAfee CTO revealed as he ran slides describing different services starting from spam and botnet for hire but also going all the way up to e-mail hacking service and even guns and hit-man as service websites. While we know that those services exist for a long time now, it was hard not to be impressed from the sophistication and the granularity of each service details. The level of transparency and detailed SLA that some of those “hackers of a service” adopted, can even provide some lessonsto traditional cloud providers.
In the next presentation, François Gratiolet, EMEA CISO for Qualys, gave a brief review about the business drivers and market characteristics of security as service offering. “SecAAS can improve the business security by enabling the organization to focus on itskey assets and risk management while maintaining flexibility and agility”, he explained, “but the offering still needs to mature and provide more governance, liability and transparency”.
The call for more transparency from the cloud providers is repeating in all cloud security conferences, and some cloud providers recognize it as business advantage. Jan Bervar, CTO for NIL, presented how NIL, a local IaaS and PaaS Provider, has taken the strategy of providing secure cloud services that are trustable and transparent. “We set controls and strict standards on our services”, explained Mr. Bervar while he listed cloud computing top threats and how NIL offering is protecting customers against those risks.
Governments and the EU commission are also aware of the fact that they need to help cloud consumers and cloud providers to increase trust among them. The EU strategy for cloud computing includes a plan to “cut through the jungle of laws and regulation” that currently many stakeholders encounter. Big part of this process is dependent on the new data protection law for the EU that is being promoted as we speak. Gloria Marcoccio, from the Italian chapter of the Cloud Security Alliance, reviews the progress of the new EU data protection legislation and its effect on cloud computing players. Judging from that lecture and other lectures such as lawyer Boris Kozlevcarpresentationabout SLA and PLA challenges in the cloud, emphasize how important governments role in enabling the business and legal framework for cloud computing practices.
When discussing the future of cloud computing, we are starting to hear more about “Cloud Brokerage”. Dr. Jesus Luna Garcia from the Cloud Security Alliance explained the role of Cloud Brokerage in his presentation about Helix Nebula, a cloud environment built for providing computing resources for science and academic organizations in the EU. Helix Nebula project act as intermediate between the consumers and a variety of cloud services and provide added value services such as standard security policy and secure data transfer across providers as well as continues monitoring and different service levels. This interesting model is a good sign for how the future implementation of cloud brokerage will look like.
Shifting from the legal and business aspects to the technology challenges.Interesting presentations heard from Trend Micro presenting their solution for virtual environments and the future of security in hybrid clouds. The new software define network technology was also introduced in a presentation by researchers from the university of Ljubljana elaborating this new technology challenges and benefits. SDN technology will probably change the way we treat network security in the cloud and got a good potential to give akick start for new technologies dealing with the threats of tomorrow.
And of course, no security conference these days is complete without discussing the challenges of government access to data, inspired by PRISM and Snowden leaks. In the two concluding presentations from Astec and Slovenian cert it was discussed the effects of the latest news about the extent of US government and other governments in their pursuit of data access. There is much to be said on this topic and it hard to summarize it in one article, but bottom line is that governments across the globe are spying on private communication and will probably continue to do so.
The effect on cloud computing adoption will probably remain for the short term only, since the cloud value proposition is just too high to ignore.
Moshe is a security entrepreneur and investor. With over 20 years’ experience in information security at various industry positions. Currently focused on Cloud Computing as board member for Cloud alliance Israeli Chapter, public speaker on various cloud aspects and investor at Clarisite and FortyCloud – Startup companies with innovative security solutions. More information can be found at: www.onlinecloudsec.com