Q&A with Kurt Roemer: why cloud will attract the security conscious
We talk to Kurt Roemer, Citrix's chief security strategist on cloud security, the Patriot Act and other topics
For a long time is has been cloud versus security; how have you seen attitudes towards cloud computing progress?
First of all, people are probably less trusting but for good reasons. You look at a lot of the data breaches out there, regulations and compliance, and we see many more people buying cloud services are actually asking the right questions and getting what they need for security upfront.
As an IT organisation and as vendors, we all need to promote that more so that people who are in departments handing over credit cards to buy cloud services are asking the right questions upfront.
Along with that, the cloud service providers are also enabling more security features as you set up applications in the cloud.
Citrix is continuing to promote that and give a secure foundation with the hypervisor, security throughout CloudStack, security throughout desktop workloads, even security in things like ShareFile.
Citrix has released more products for the SMBs and your CEO claimed they were more willing to put their stuff into the cloud. Do you see them willing to take more risks?
A lot of them are as they don’t have the access to the IT resources that larger organisations have so when you are going [to] bring applications online, you can either go out and hire IT staff, install [everything you need], purchase all the equipment, have it all configured and two years later you are broke or, well you see what I mean.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
We do see the attractiveness of the cloud from an agility perspective and it has been a real enabler to small and medium businesses. Cloud providers have been focusing on them… and we have continued that as well with our support of SMBs with VDI-in-a-Box.
On the other end of the scale then, will public cloud solutions ever be suitable for the more security-conscious enterprise?
Yes.
[Care to elaborate?]
A lot of it is cost and scalability. A lot of enterprises are immediately attracted by the cost of the cloud and that is driving a lot of projects.
We see that a lot in the US. The Obama administration has adopted the Cloud First [system] where all new applications must be considered in the cloud first.
I was in the Cloud 2 commission that provided advice for secure use of the cloud for Government; this was sent out to the private sector as well. We made various recommendations [available to download] which showed what you need to consider as you move to the cloud and basically gives you a checklist as well for procurement.
We have seen other organisations like the payment card industry [PCI -Roemer also worked on this] and the Cloud Security Alliance (CSA), which also has a lot of very specific [guidance].
Anyway, this is a long way of saying that there is a lot of prior art out there to show that cloud computing can be used for very sensitive workloads and used very effectively.
There are a lot of advisory boards out there but they conflict. Isn’t it just the same conversation as needing standards so all the advice comes from the same page?
They aren’t [on the same page] and there are some projects to try and unify those and tie them together. We are seeing that with the CSA but also NIST (National Institute of Standards and Technology), their cloud computing guidance is continually updated referencing many of the other best practices across the industry.
So, an organisation can go out and audit for that, architect for that and make sure they have a rigorous set of objectives they can use.
It will [take time], definitely.
So, back to the US Government, regulation is a question a lot of people have, especially how the US rules affect us in Europe. Is the Patriot Act going to be revised?
If you are a US company, you are subject to the Patriot Act, but there are various interpretations of this. The actual enforcement is something that none of us have visibility into.
There is a legal need for access and subpoena for observation of criminal enterprises and terrorists that are really compromising all of our lives. But, it has also discouraged some companies from doing business in the US, definitely from having their clouds in the US, and it has allowed regional clouds to pop up.
You look at the EU privacy directive and you look at some of the individual privacy needs of say Germany and it may make sense for them to have clouds retained within the country.
The problem becomes when you may have customers in the US, a division in the US or you might have some data that needs to reside in the US… how does the Patriot Act apply?
You may have seen Microsoft’s comments on that…
Yes, we have, and it is what is making a lot of Europeans worried…
Well, that is one thing I would have you reference.
People are still doing cloud in the US, but when one of these cases happens, where is the blame going to lie?
Well, it all depends on the individual case and what happens. Case law really hasn’t played this out yet. Ultimately it is the company that is affected that has to hand their data over [not the provider] when someone comes in and sues them because of this.
If the [provider] has satisfied their service level agreement (SLA), you have paid for your data to reside in the Dublin data centre, we are going to keep it here. If they have adhered to that agreement, it would be hard to find them liable if you were a jury right?
However, if they move that workload over to the US under various circumstances, even under duress they had to move it, that is a different story. You have to ask that question upfront.
So, do you think there will be some changes to the Patriot Act?
I can’t even predict or comment on that.
There is definitely a need to collect that information and I would assume other Governments are doing something similar as well.
Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.
Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.