I was at Barcelona for the Secure Cloud 2010 conference. Here are my impressions at the end of 2 days of interesting discussions.
I was happy to realize that – thanks to CSA and ENISA – we are definitely moving forward. We are getting out of endless discussions about problem statements and rather heading towards the next phase, which is about solutions. Here some examples:
- We started to prioritize the issues, best illustration of this is the CSA top threats initiative.
- We started talking about security metrics and frameworks for assurance and certification (expert groups within CSA)
- Some community projects are starting, for example, Craig Balding‘s upcoming SkyLab project that uses an Amazon Machine image based on a Backtrack distribution to perform penetration tests within EC2. Issues with Amazon’s service terms are solved. (I cannot resist to also point to our own open source project Cloudy_Scripts).
- Other very interesting initiatives that have been started already are OIX, an initiative by several industry giants to deal with the communication of online identity credentials over the web, and CloudAudit (former name A6) that works on defining an API to automate auditing and security assessment of cloud deployments.
There are plenty of opportunities to get involved and contribute. Now that we’ve got a better understanding of the security problems and have started moving forward, we must not forget to keep up with the pace of cloud providers, which are constantly working to improve their offerings.