There are so many myths out there about Cloud Security – time to start putting them away…

1. The cloud is inherently insecure. No, not really. There are providers which deliver a high level of security. The cloud can be more secure than internal IT, given that services are frequently operated very professional.
2. The cloud is more secure than the internal IT. No, as well not. The cloud is neither secure or insecure. It is about the single service which might be more or less secure. And it always depends on with what you compare, e.g. how strong security in the existing internal environment really is. Thus, it is important to define security requirements in service descriptions and SLAs and to measure security.
3. Cloud Security issues are new. No, most of them are not. They are the same like in outsourcing or the tactical use of external services we are doing for years right now. The difference is that there are much more services to deal with – which is an opportunity to handle security in a standardized way and improve it beyond the typical ad-hoc approaches of the past.
4. Security is the task of the Cloud Service Provider. Yes and no. Service providers have to provide a high level of security and they have to inform about. But you can’t just rely on them. You’re always the one who defines his security requirements and is responsible for their fulfillment – by chosing appropriate service providers.
5. We can’t do things outside of the EU. A myth. There are some legal aspects around operations on privacy-related data which have to be observed. But overall it’s not about that things can’t be done but more about a big grey area of uncertainty.
6. SAML solves the IAM issues in the cloud. No, definitely not true. SAML is the first little step towards the target of externalized security of cloud services. But that’s only about the separation of administration and authentication. The much more interesting topic of authorization (XACML and other standards) has to be solved as well. And few cloud service providers support XACML today. Few support own proprietary web services as an alternative. Not to speak of auditing interfaces…
7. Security in the cloud can’t be measured. Somewhat true – in the sense of: Most providers don’t support risk metrics, a detailed auditing and so on. But theoretically not true, because these interfaces can (and should) be provided.

More on Cloud Security and some of the myths and real issues in the KuppingerCole Virtual Conference on Cloud Security. Register for free!

And for sure at Cloud 2010, parallel to EIC 2010.

For some of you, the acquisition of Burton by Gartner might have been the deal of the year. I (for sure, acting in the same market) will not comment on this. But for me, it hasn’t been the deal of the year even in these first two weeks. Much more important is the acquisition of Archer by RSA. RSA Security, a EMC subsidiary for several years now, has bought one of the leading GRC vendors. In fact it was EMC which acquired Archer but within EMC it has been RSA Security.

Archer is one of the major players in the Enterprise GRC market – I recently discussed the various segments of the GRC market. With the acquisition of Archer, RSA – until now a provider of very specialized components in the SIEM, DLP, and other security related markets – tries to close the gap between the high-level view of Archer (being mainly an Enterprise GRC provider with some level of CCM). That definitely makes sense. And it fits well in EMC/RSAs strategy for Cloud Security. Thus, by integrating the tools of RSA (and other EMC companies), providing information for automated controls, and the high-level view of Archer, the drill-down features, and the manual control capabilities as well as the overall policy and control management, EMC (with RSA and Archer) might be well able to make a big step forward towards an integrated GRC offering.

However, this shouldn’t be limited to security-related IT controls but should cover all types of IT controls, including service management, access governance, and others. Standards like Cobit show how many different controls are relevant. And, from the high-level perspective (the Archer view), it should even go beyond IT controls and IT GRC. Thus the acquisition of Archer shouldn’t be understood as the final but the first step. Integration of what EMC and partners are offering is the logical next step – but to fully deliver on the idea of an integrated GRC, EMC might have to add some other technologies (like access governance and, especially with focus on the cloud, service management).

Anyhow: The acquisition makes sense, no doubt about that. And I’m convinced that it hasn’t been the last one in the GRC market for this year.

Some few weeks ago, the “Simple Cloud API” has been announced. The company behind this is Zend technologies, which calls itself “The PHP Company”. More important is the fact that Microsoft and IBM are amongst the supporters of Simple Cloud API. That means that there is a significant momentum behind that approach from the very beginning.

One could argue that this is just another standard or API besides so many approaches we’ve seen recently. However, the Simple Cloud API is somewhat unique for some reasons:

• It is focused on PHP. You may like PHP or not but it is an important language for web development.
• It is currently focused on the infrastructure layer, with (at the beginning) support for file services, document services, and simple queueing. That might change over time, but it adds to the mainly management-oriented standard approaches which dominate the emerging cloud standards.
• It is usable. It is not a XML-based protocol but really an API which interfaces with existing services. Ready to use from the beginning – look here. However, it is under development so some things might change.

The approach of the Simple Cloud API is simple: A PHP API and adapters to existing services, including the ones of Amazon EC2 and Windows Azure.

Thus the Simple Cloud API is not only simple but close to be ready-to-use (close to because it still is under development). But it is definitely worth to have a look at.

Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

1. There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
2. In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
3. Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
4. A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

1. If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
2. The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.

On Monday I’ve met with Matthieu Hug from RunMyProcess in Paris, an interesting start-up company in the “cloud”. Their focus is pretty easy: Integrate the cloud – with what you have internally and with other cloud services. At CeBIT 2008 I’ve done a presentation about “SaaS” and related topics (we didn’t use the term “cloud” at that point of time). One of the three major issues I’ve discussed as threats in that area (and would mention nowadays as cloud threats) is integration. How do you integrate external cloud services with other external services or internal applications? Some of these services provide a set of web service interfaces. But even then, integration is a tough work.

RunMyProcess now provides an external “cloud” service to do that integration. They provide pre-configured web services of a series of (external) cloud service providers, including Salesforce.com, SAP BusinessByDesign, and GoogleApps. And they allow to define processes which include one or more of these products. That allows to build integration between such services and existing internal applications. It as well allows to enhance cloud based services like GoogleApps. Matthieu told me that some of his customers are adding workflows to GoogleApps to replace Lotus Notes (even while I’d recommend the customer to consider LotusLive as an option in that case…). And there are some companies starting to create added-value services by integrating and enhancing cloud services, creating sort of “industry clouds” or “community clouds”.

I like the approach of providing an integration platform in that way. It doesn’t solve every problem (and more complex platforms built on top of classical application servers might provide some more functionality) but it is an answer to one of the biggest threats in the cloud. Thus it is definitely worth to have a look at that solution. And it is just another example of the amount of creativity unveiled by the cloud evolution.

If you want to learn more about the cloud, you definitely should attend Cloud 09, Dec 2nd-4th, Munich. And you should always have a look at the Kuppinger Cole webinars. We do webinars on cloud topics frequently – and there are many recordings of cloud webinars available.

It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.

VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.

The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.

Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.

To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.

During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren’t really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term.

One ob the obvious shortcomings are accounting periods which are too long and thus don’t provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within a calendar month are not what we need for the cloud. Over time, customers will expect the ability to switch their provider quickly and to pay-per-use. For sure there are services where customers aren’t that likely to move ever or on short-term (salesforce.com, SAP BusinessByDesign). But I’ve seen that model as well at the platform and infrastructure level.

But pay-per-use models can be critical as well. If there are either too many elements in or elements which can’t be predicted, these models don’t provide the advantage of reliable cost models which are as well a key advantage that cloud services can and should provide. That is the same like with ISPs in the past – there will be a logical move to flatrate models. Noone likes to become bankrupt because he is too successful.

The reason for these sometimes inadequate business models are obvious:

• Many vendors in the cloud are experienced with classical, license-based business models and have no experience and sometimes little understanding of new cloud business models. They are insecure and have to learn.
• Customers currently frequently accept these business models – but that will change.

However it is very interesting to observe the change in these business models over time. In the cloud, business models are always under stress test. The impact of actions of other vendors is strong. For example, Microsoft in fact has defined an maximum price tag for hosted Exchange services with their own offering. Providers which want to earn more will have to very clearly show the added value to their customers.

That will not automatically lead to a situation in which the cheapest provider wins. But for sure cloud service providers will have to react on what others are doing. Thus, flexible business models and an efficient production of cloud services are mandatory. Vendors who are not able to pick up the pace of these changes in business models are likely to disappear from the market.

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.

The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.

Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.

Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.

However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.

Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.

These days, there were several articles in different media stating that eBay might discard its Skype service. The reason is that they haven’t acquired the underlying P2P core technology. This is still owned by Joltid. And Joltid plans to terminate that license agreement. One doesn’t need to be a prophet to guess that the real reason behind that situation is about money…

However, eBay definitely is in a difficult situation. They might find a deal with Joltid. They might discard the Skype service with its 16 million users – which probably won’t be that lucky about. They might develop an own P2P technology. Or they might replace the P2P technology. Given the limited time eBay has to solve the problem they the most likely options are that eBay either will find a new agreement with Joltid or will have to acquire another P2P technology. There are several P2P providers out there, some supporting phone capabilities, like Collanos Phone. There are Open Source projects like Gizmo. Thus there are some options. It will require some intense technical due diligence for eBay to choose the technology which allows to continue the Skype service with somewhat equal features and not too much of disruption for existing users. But there are solutions out there.

It will be interesting to observe which option eBay chooses. Given that I’m a Skype user, I’m really interested in. I’m as well interested from a perspective of an analyst for the Cloud Computing market, because the situation eBay is in shows the inherent complexity of Cloud Computing with many different relying parties. Think about a situation where, just as an example, a database isn’t provided any more by the cloud computing platform it has been run on before, because the company providing the platform has terminated the agreement with the database vendor. That would be somewhat the same story. Thus, think about these dependencies and look at the potential problems…

Recently, the DMTF (Desktop Management Task Force) announced an initiative to develop cloud standards for resource management, packaging formats, and security mechanism to facilitate the interoperability of private and public clouds (and amongst public clouds from different providers). Given my recent critics on the term of “private cloud” that means just standards to be able to use different types of service providers, regardless where they are. The announcement can be found here.

The DMTF starts an Incubator to develop such standards, including existing work and standards like WS-Policy and others. From my perspective, DMTF is an interesting player in that field given that they have succeeded with some other standards around desktop management and systems management. And they have a lot of vendors on board, mainly from the virtualization and systems management market segments. Thus it is likely that they are able to drive things forward. Anyhow, they shouldn’t miss to include existing de-facto standards like the APS (Application Packaging Standard) promoted by Parallels.

There is no doubt that we need a lot of standardization for the cloud. The DMTF initiative addresses current needs of managing the “infrastructure cloud” but will as well influence the level of the “platform cloud”, as long as you understand management for systems, identities, and so on as part of that level. Anyhow it will probably take us some years until we can use cloud-ready systems management tools which rely on the potentially upcoming standards in that area.

And we also have to be aware of the fact that even that initiative will cover only a few of the missing standards for the cloud computing of the future. Authorization management, business-level policy management, SLA standards and many other elements are missing today. Anyhow, any initiative for further standardization is welcome from my perspective, as long as it focuses on integration with other initiatives and existing standards and as long as it delivers – the sooner, the better.

And, by the way: Don’t miss the Cloud 09 Conference in Munich, December 2nd to 4th.