At the CloudCamp Seattle last week, there were many lively discussions.  A number of vendors stepped up with some great discussion on their products and solutions. One question that was quickly mentioned and pops up in my mind was regarding PCI compliance.  Now, PCI is a well known standard and should not be a radical enterprise issue, but a question of approach, methodology and planning.

However, in some discussions after the event, I brought up some questions on the topic of performance concerns and oversubscription.  Multitenancy is potentially a concern from the performance perspective, particularly when virtual systems begin to outnumber the actual physical cores in a given host. This indicates one of several cloud concerns and on the topic of PCI and other security issues, it indicates a fundamental question with data security that the enterprise is rightfully slow to embrace.

One fundamental issue is the lack of visibility into the infrastructure.  Virtual systems and the data they possess could literally be anywhere in the provider infrastructure in live and offline copies, snapshots, and disparate data centers.  How are these factors accounted for?  What do your SLA’s state?  And who is the watchdog in that realm?  Who is on that same system as you?  Could there be a hacker or rogue application?  What about compliance issues such as PCI?  Are you sharing a system with a competitor?  What are the ramifications if one of these things fails or is compromised? 

The Point is the lack of Pointers to the Downsides

I could easily shoot off another 20 questions. To be fair, there may be a number of answers out there that satisfy much of these questions.  The issue is there is too much buzz and hype about cloud computing and the picture is extremely skewed about the benefits and very little attention to security questions.

As long as these things endure and the industry does not focus on some of these fundamental security concerns in a clear, concise way, there will be this lingering question of trust in public cloud computing.  An enterprise that properly mitigates risk has to address these questions and overcome that gap in trust. Even in world of security, there is a limited toolkit we have to combat and overcome the bad guys and their tools and tactics grow and change every day.  Some of us have to be cops in the big picture.