Security certifications for cloud applications, will it help adoption?

I just read this, a tad old pre-finance-crisis, but still relevant and good article on “Gartner prediction misses today’s enterprise cloud action” when I realized it was automatically linked to my post “Enterprise cloud computing and security, the missing debate or solved” – it actually still gives me hits, nice!

The post refers to security certifications for cloud applications and it also provides a nice grouping of applications with a timeline of when the author expects the cloud to be ready to handle this type of apps.

1. Low security sites such as marketing apps and batch computations on public data with public algorithms
2. Massive compute jobs that use proprietary algorithms that are not super-sensitive and operate on public data.
3. Super secret data and very sensitive algorithms

I certainly believe that certifications that document security and processes, and new good architectural solutions will bring us to a point where cloud-sourcing bullet three is considered ok sometime in the future, but it still comes down to the level of trust one is able to build.

If you are the owner of business critical data that is “super secret and sensitive” a certificate doesn’t help much when your competitor got hold of your customer base and attacked all your customers with their marketing machinery, but of course a certificate helps documenting and is good in the sales process.

Who knows, your data might be more secure in the cloud than in your basement server room, which is normally most certainly not certified and it will provide documentation to hide behind. To conclude, yes, I think it will help adoption.

Security officer, courtesy to erotikknett.no

Meanwhile, be aware of social hacking amongst your trusted security officers 😉

Yammer – Free enterprise Twitter as SaaS

Steria Norway is testing collaboration with Yammer – so far we are satisfied and a need is uncovered. It is a great example of enterprise software as a service solution featuring what seems to be good enough enterprise security by reducing visibility by others to only those with same mail domain.

Other than that it is a better version of twitter with file attachments, no post length restrictions and better group functionality.

Our community likes it. However, one needs to assess how it adds value to a projectized organization like Steria. Can it be too much collaboration?

Enterprise cloud computing and security, the missing debate or solved?

Gartner and IBM says Cloud computing will skyrocket in 2009. Microsoft is more reluctant but coming along as well. Several news sites report that 2009 will be the year of enterprise cloud computing, but others are unable to spot the next salesforce.com, requesting it to come out of the cave. Why? I believe that security concerns are the biggest hurdle; IT department does not trust that services in the cloud are secure enough. I am not talking about uptime and availability, which is also a needed discussion, but I am talking about viruses, hacking, and information leak and so on. Ok, Gartner sees this as well, but they still predicts “sky rocket growth” three quarters of a year later – I am not convinced, and I consider myself innovative – I dare not think about conservative 50 year old CIOs.

Viruses in the cloud, you got to be kidding? Well, last week Norwegian Police went out of business because of virus brought to them by MSN. Phishing attempts is a well known problem, and the “fatter” the account you can phish or hack, the more vulnerable it is. When Barrack Obama runs a teleconference in the cloud, god knows who listen to that.

Hacking in the cloud? Well, the first is social hacking; it has always been and probably always will be a problem, but when running on level one security (username and password) it is no doubt that it is not good enough, to get someone’s password is just too easy. I heard from youths at the age of 13 hacking MSN accounts. And one expects enterprises to jump onto this with storing mission critical strategy documents? No fucking way! Maybe you could get around this with solutions like decided IP-range, VPN-solutions, RSA code calculators and so on, but then the usability (and thus the usage!) starts to drop, people start complaining, the money starts running out anyway, and the IT department has it going. Norwegians has used internet bank since around 1998, when I visited Poland in 2003, long queues of bill paying polish men and woman were standing outside the banks. They had no trust in online banks, and thus were not using it. The same goes for US Consumers, using checks to pay bills. I am 25 years old, and can barely remember checks in Norway. Yes Norwegians have a large trust in banks, but then, BankID has never been exploited in successful large scale hacking attempts, and banks have spent millions on campaigns building user trust.
Information leak? Not long ago I heard about EmailXtender, a plugin to Outlook, helping you search for lost e-mail. The company at question had set it up wrong so all incoming e-mail was searchable from every employees computer. How about if the same thing happened to salesforce, suddenly some competitor could see all the leads to someone else? Often you want to share with people outside the company, but not always. The “not always” unfortunately is a must have, whilst as long as email, google documents and public CMS-systems works, the other is a nice to have. You get to share your documents and texts somehow anyway.

All right, I admit it, I am very critical towards enterprise cloud computing, but realise that I might “look like a server hugger who want to sleep with a copy of my data under my pillow“. Why am I critical? I have spent two years working for Steria and visited several customers, and security concerns are always an issue. Now, it may be that Steria has a traditional look upon this, we even promote and sell security consulting, but no one has yet proven to me that security is taken good enough care of when it comes to cloud computing. That said, I love the many fantastic new services developed out there like doodle, vyew, etherpad, comapping and so on, just do not even consider using them when you are hosting a discussion that needs a higher security level – yet!