Rational Survivability: The Big Four Cloud Computing Providers: Security Compared (Part I)

規模の大きい、自社データセンターを運営しているCloud Computing大手を比較した記事。 

内容は大した事を書いていないが、セキュリティということについて、各社があまり明確な方針を持っていない、というか、お互いをあまり意識せず勝手な事を書いている、という印象が強い。 

 

今日のCloud Computingの業界では、何が出来るか、ということが主題であって、実際に運用を開始する段階で問題となってくるセキュリティやデータの保全性の問題などはどうも後回しになっているような気がする。 これはCloud Computingの顧客層がまだまだISVや小規模顧客が主体である事を示している、といえる。 

 

Cloud Computing市場でセキュリティに関する事件の一つや二つが起きれば業界は動き出すであろうが、この辺はあまり現状では米国企業に期待しない方がいいかもしれない。  むしろ日本企業としてのビジネスチャンスの領域になる可能性もあるのでは、と感じるところ。 

 

日本市場ならではのCloud Computingセキュリティソリューションとはなんであろうか？

 

---

James Urquhart posted a summary a week or so ago of what he described as the "Big 4" players in Cloud Computing.  It was a slightly humorous pass at describing their approaches and offerings:

Below is a table that lists these key players, and compares their offerings from the perspective of four core defining aspects of clouds. As this is a comparison of apples to oranges to grapefruit to perhaps pastrami, it is not meant to be a ranking of the participants, nor a judgement of when to choose one over the other. Instead, what I hope to do here is to give a working sysadmin's glimpse into what these four clouds are about, and why they are each unique approaches to enterprise cloud computing in their own right.

James provided quite a bit more (serious) detail in the text below his table which I present to you here, tarted up with a column I've added and James left off titled "Security." 

It's written in the same spirit as James' original, so feel free to take this with an equally well-provisioned grain of NaCl.  I'll be adding my own perfunctory comments with a little more detail shortly: The point here is that the quantification of what "security" means in the cloud is as abstracted and varied as the platforms that provide the service.  We're essentially being asked to take for granted and trust that the underlying mechanicals are sound and secure while not knowing where or what they are.

We don't do that with our physically-tethered operating systems today, so why should we do so with virtualization platform hypervisors and the infrastructure "data center operating systems" of the cloud?  The transparency provided by dedicated infrastructure is being obscured by virtualization and the fog of the cloud.  It's a squeezing the balloon problem.

And so far as the argument goes toward suggesting that this is no different than what we deal with n terms of SaaS today, the difference between what we might define as legacy SaaS and "cloud" is that generally it's someone elses' apps and your data in the former (ye olde ASP model.) 

In the case of the "cloud," it could be a mixture of applications and data, some of which you own, some you don't and some you're simply not even aware of, perhaps running in part on your infrastructure and someone elses'.

It should be noted also that not all cloud providers (excluding those above) even own and operate the platforms they provide you service on...they, in turn, could be utilizing shared infrastructure to provide you service, so cross-pollination of service provisioning could affect portability, reliability and security.

That is why the Big4 above stand up their own multi-billion dollar data centers; they keep the architecture proprietary so you don't have to; lots of little clouds everywhere.

/Hoff

P.S. If you're involved with platform security from any of the providers above, do contact me because I'm going to be expounding upon the security "layers" of each of these providers in as much detail as I have here shortly.  I'd suggest you might be interested in assuring it's as complete and accurate as possible ;)