In a frank interview at Infosec 2009, Philippe Courtot, CEO of Qualys, founder member of the Cloud Security Alliance, and Jericho Forum member talked about the reality of the Cloud and its impact on mainstream computing as we know it today. Mr Courtot described the effects, "The Cloud is a very disruptive technology which is going to change a lot of the ways in which people run their businesses in the same way that the internet impacted on business processes. In fact the Cloud is just one aspect of the evolution of the internet."

In a bold statement about the issue of data, Mr Courtot essentially said,"The inconvenient truth in security is that securing the data within an organisation is almost impossible because the location of more than 50% of data is often unknown ie it could be on USB stick, CD, backup, servers, desktops, email and so on."

In fact, by having the data in the Cloud, people know where the data is and the protection mechanisms are very similar to those of the mainframe. However people can now quickly access their data no matter where they are located, whilst at the same time being able to utilise mainframe computing power from their desktop.

From an organisational perspective, Cloud Computing will have a large impact in the way in which business processes occur. For example, as Cloud Computing gains more and more acceptance, less and less computing structure will be required, IT departments will shrink because there will be less back-end processes to manage and the role of the CIO and CISO will more than likely merge.

In addition, security professional jobs are going to become less technical and more strategic. For example, their decisions will become more about which Cloud providers to use, what types of security restrictions and compliances the Cloud vendors have in place and how to make data available to employees worldwide when there are restrictions on data location.

Decisions about what and how many servers to buy, what applications to run on them, should they be virtualised, the issues of patch testing versus immediate distribution,how to protect servers from zero day attacks, and how to have a layered defence model to protect their physical and logical assets, all of these and many other similar decisions will become almost non-existent due to the outsourcing of the majority of the compute power.

From a security vendor perspective, security vendors will need to change their business models to answer the security needs of the cloud providers rather than the enterprise.

In summary, their will be many business and organisational challenges in addition to the contractual, legal, compliance, and storage challenges.

References
Security Vibes Interview with Philippe Courtot
Security Vibes Summary Report on Cloud Computing with Cloud Report Links
Cloud Security Alliance Report
Jericho Forum Cloud Cube Model
Controversial McKinsey report on Cloud Computing
ISF (information Security Forum)
Qualys

If C level executives believe that Cloud Computing is now, or fairly soon going to be a reality for their business, then they need to be thinking about what new skillsets they will need for themselves and their staff.