Security Standards – Why they are so Critical for the Cloud

By Matthew Gardiner

Everyone loves standards, right? When is the last time you heard a vendor proudly say that their product or service was closed and proprietary? However, it also seems that every time a new IT architecture sweeps through the market, this time one based on cloud models, the lessons of the critical value of standards needs to be relearned. While it is easy to poke fun at standards by saying such things as “I love standards because there are so many from which to choose,” it is also easy to see the incredible value that they can unlock. Look at the Internet itself as an example. It is hard to imagine the cloud reaching its potential without it using a set of widely adopted standards – security and otherwise.

In the context of this blog when I refer to security standards, I am talking about security interface standards (basically cloud security APIs) that enable security systems in one domain, whether in a cloud service or in an on-premise enterprise system, to communicate and interoperate programmatically with security systems in other domains. The absence of such standards drives the use of customized integrations which have been the bane of IT agility since the beginning of modern computing.

Why is it that everyone loves standards in concept, including those for security, but often standards definition and deployment is less than speedy? Why doesn’t everyone involved just pull together and solve this obvious problem now, instead of waiting until we are all suffering from lack of standards? While this is a general issue with standards, let’s look at this issue through the lens of the emerging public cloud-based services (public IaaS, PaaS, & SaaS). There are both rational and less rational reasons why standards are developed and used at a rate slower than they should be for maximum benefit.

While not the only factor to consider, the reality is that standards must be considered as an element of the overall vendor competitive struggle, where differentiation is key. There are logical economic reasons why market dominant vendors -- in this case dominant cloud service providers -- tend to be wary of using publicly available interface standards for their services. For one it makes their differentiation that much harder and it lowers the cost of switching to competitive services. Thus interface standards can serve as a competitive threat.

While no vendor will come out explicitly against standards (remember that everybody loves them), when pressed on the issue, they will come back with answers such as, “existing standards are too immature” or the “market is moving too fast to standardize yet” to explain why they are not moving more quickly to standardize their interfaces. Of course they might be partially right, but these are not objections which generally hold up under explicit and consistent customer demand for standardization. See the broad adoption of SAML by cloud providers as an example of what this pressure can accomplish.

This leads me to one of the less rational reasons why standards are not used as readily as they could be: Lack of customer vision! Without a clear long-term vision of the future and how cloud services will be engaged to support the business, customer’s of today’s cloud service providers basically stumble into using the available proprietary interfaces and thus are enabling the current providers to largely get away with not providing standards based interfaces. IT departments are doing what they need to get the job done, which optimizes the short-term results, but unfortunately it’s at the expense of the longer-term.

What does the future of the cloud look like over the next three to five years? In my view organizations of all sizes will be deep in the middle of a dynamic and hybrid mix of public cloud services, private cloud services, and traditional on-premise IT systems. The mix will vary by organization. We could see 20 percent public cloud services and 80 percent on-premise and private cloud services at some organizations and a 50/50 split or some other mix at other organizations. Even within the public cloud category there will be a tremendous variety of usage at most organizations, not only with the types of cloud services used (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-service) but also with the variety of service providers from which they receive them. If you agree with this view of the future, then you should understand the need to use security interface standards to enable effective security management across them.

If supporting dynamic and hybrid IT requires organizations to continually build-up and tear down proprietary security integrations that bridge their on-premise and cloud worlds, then they will either be spending an inordinate amount of time and money creating these integrations, or worse will be living in the middle of a hodge-podge of security silos, which are neither secure nor convenient for the users.

For the cloud to reach its potential as the next transformative IT architecture akin to the Internet itself, it is critical that it operate similar to Legos which can be assembled and re-assembled quickly and securely as required. Furthermore, it is imperative that automated controls, both preventive and detective, can be configured to flow back-and-forth between and among all components of the organization’s mix of public and on-premise IT systems. This prospective future is not as far off as if it might seem. There are many security interface standards already in existence (XACML, WS-Security, CloudAudit) and some are already relatively widely deployed, such as SAML, that were built to enable the hybrid cloud and on-premise application world. The primary issue now is the adoption of these standards.

While I recognize that collective action on the use of security standards such as these is not easy, I believe it is imperative that customers start envisioning and working towards this future now - and pushing their cloud service providers to get onboard with it too.

Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security and Identity & Access Management (IAM) markets worldwide. He writes and is interviewed regularly in leading industry media on a wide range of IAM, cloud security, and other security-related topics. He is a member of the Kantara Initiative Board of Trustees. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management. He blogs regularly at: http://community.ca.com/members/Matthew-Gardiner.aspx and also tweets @jmatthewg1234. More information about CA Technologies can be found at www.ca.com.