Open source code is providing several avenues into the cloud. But Microsoft's support of OpenStack gives it a lift amidst a crowded field.
An Update On Cloud Security
On the security front, I noted last week how Savvis, Cisco, VMware, and Hytrust had published a white paper pointing the way to a Payment Card Industry (PCI) compliant cloud architecture. That's not to say someone building such an architecture in the cloud today could get it approved by auditors. Rather, it was a kind of weathervane saying the Jan. 1 implementation of new PCI 2.0 regulations takes everyone a step in that direction and there were no longer big unknowns over whether it will someday be possible to do PCI transactions in the cloud.
If you believe that, then a survey conducted by Hubspan won't necessarily surprise you. A third party employed by Hubspan submitted a questionnaire on cloud security to 200 interviewees, and 84% of them responded that they believed sensitive data could be stored in the cloud.
That's contrary to every cloud survey you and I have seen prior to this one, and probably suspect, since Hubspan's business would broaden if more clients were willing to store sensitive data in the cloud. I wasn't able to find out a lot about who the respondents were exactly, although Hubspan spokesmen assure me they were not exclusively Hubspan customers and Hubspan itself didn't conduct the survey. Still surveys conducted by vendors tend to confirm some result that is more helpful than harmful to the vendor's business.
Nevertheless, the sheer scale of 84% may be a sign that security worries over the cloud are abating somewhat. As Amazon Web Services, Terremark, Rackspace, and Savvis produce cloud services that they describe as private rather than public, the notion is taking hold that there are ways to restrict exposure and ensure privacy of data, even in a facility that includes operations of a public cloud.
I heard Steve Riley, security architect at Amazon, speak at the Cloud Computing Conference Nov. 2. It was eye opening when he described how he, one of their top security designers, can't set foot in an Amazon data center, due to its policy of shutting out anyone who doesn't have direct and immediate business there. If a customer wants to inspect the security measures typical of the servers he'll be using in the cloud, too bad. "We decided it was better to shut everybody out" and reduce potential exposure than to let customers in, even when it would be good for business, he said.
They'd thought the problem through and made a tough decision upfront and stuck to it, as best I know. Riley was an excellent spokesman for security measures at EC2. I wouldn't be surprised if somewhere in that 84% of respondents answering affirmative on sensitive data were a few people who heard him.