A New Definition and an Old Theme

Just as folks come to terms with the complexities of using the Internet, along comes the BBD—the Bigger Better Deal. I suppose it is inevitable, evolution and revolution are in our nature. Thus we proceed, to recap recent history, from the Internet to the World Wide Web to the Cloud.

“The Cloud” has become so popular that everyone wants to join the party. As such, many things in the Internet (and off) are now called “Cloud.” It reminds me of when dot-com was the BBD. A typical TV commercial from early in the dot-com boom would feature a pitch for something not at all dot-com related before the pitchman would say, “You can reach us at 1-800-Blah Blah Blah dot com.” Uh, right. These days, he’s probably describing cars or discount mattresses as “cloud offers.”

In an effort to reduce the confusion around cloud and separate the real cloud from the party-crashing wannabes (the equivalent of the dot-com pitchman), I’ve been referring to capital-C-Cloud as the one defined by the NIST—the National Institute of Standards and Technology. It looks like more people are about to do the same.

On February 2nd, the NIST issued a pair of draft documents regarding cloud computing. The first, “NIST Definition of Cloud Computing,” offers the organization’s working definition of cloud computing, one that the NIST has been using for a while.

At just over 50 pages, the second document, “Guidelines on Security and Privacy in Public Cloud Computing,”  chronicles the security and privacy challenges for public cloud computing. It also offers recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment.

Sifting through the second document, I saw phrases—carefully plan…. Understand the public cloud computing environment…. Maintain accountability—that reminded me of a presentation I’ve been giving to potential capital-C-Cloud customers for almost a year. When you look at the big picture, Cloud is a sort of “second verse same as the first” type thing when it comes to risk and security. Remember the old time-sharing mainframe days? It’s the same thing all over again. It’s just that Cloud is the BBD. We’ve been managing risk for thousands of years. The names and the lexicon change, but the ideas are very similar.

Castles, moats, and guards, for instance. Firewalls (the moat) and intrusion protection (big burly guards at the drawbridge) are variations on a theme. Protecting data itself isn’t unlike dressing soldiers in flax tunics or armor before sending them outside the castle walls. We have ways to encrypt the wired world, and now we’re encrypting the wireless world. The system was at risk and we came up with a plan for mitigating that risk. It makes evolutionary common sense. It shouldn’t be profound.

Organizations like the NIST and the Cloud Security Alliance (which also provides guidelines and a definition of Cloud that align with that of the NIST) are setting standards for people in Cloud because they have a compelling reason to do so. Before government can seek out vendors to help its various agencies take advantage of the benefits of Cloud, it needs standards for how to go about doing so. When the system is at risk, we come up with a plan for mitigating that risk. Cloud is just the latest BBD. When you look at risk management holistically, the mechanisms begin to look the same.

Jeff Huegel Cyber Security Chief Architect AT&T About Jeff