Security can and should be built into cloud computing infrastructures – a change from the traditional model of bolting security on, an information security leader said during Tuesday's opening keynote of the 2010 RSA Conference in San Francisco.
The challenges of compliance, data protection and risk management are compounded in virtual environments, said Art Coviello, executive vice president of EMC and president of the company's security division, RSA. But with collaboration, those in the information security community can build security into the cloud and ensure a level of protection that surpasses that of physical environments, he added.
“We can create an infrastructure that is more secure and enabling,” Coviello said. “We can make the cloud inherently secure.”
The journey into the cloud is inevitable for businesses of all sizes, he said.
Around two-thirds of a company's IT budget typically is spent to maintain the enterprise infrastructure, he said. Cloud computing presents an opportunity to alter that ratio and allow more of the IT budget to be spent on security and innovation.
“[Cloud computing] enables businesses to leave their costly infrastructures behind and move to a new pay-as-you-go model characterized by choice and agility,” Coviello said.
Ultimately, cloud computing technology has the power to change the IT industry and transform information security, said Dave Cullinane, chief information security officer of eBay and a founding member of the nonprofit Cloud Security Alliance (CSA).
“I encourage all the vendors to work together to provide the technology we need to secure the cloud infrastructure,” Cullinane said. “This is our chance to embed security right into the infrastructure.”
Meanwhile, a new initiative was launched Monday to help cloud providers develop secure and interoperable identity, access and compliance management configurations and practices. The Trusted Cloud Initiative, headed up by Novell and CSA, was described as the industry's first cloud security certification, education and outreach program for cloud providers.
“In traditional IT environments, the organization controls its applications, servers and storage infrastructure,” Jim Reavis, executive director of CSA said in a statement. “When an organization moves IT resources and sensitive data – such as personal names, addresses and phone numbers – into the cloud, control and trust issues must be addressed through a trusted third-party certification program.”
Members of the Trusted Cloud Initiative plan to establish a set of certification criteria and a visible seal of trust to indicate a cloud provider has met the established security guidelines.