Cloud Security Alliance has recently released their second edition of the Cloud Security Guide, defining security recommendations for Cloud security at different architectural levels.

We’d like to highlight one important issue raised by the authors: the abstraction level provided by the CLoud, which hides the underlying heterogeneity of resources, makes it specially hard to integrate classical security controls, such as for instance those dealing with network security.

We agree that having these recommendations handy would result in a secure Cloud environment. However, as we highlighted in a previous post, we still miss a detailed architectural state of the art for tools helping to enforce the proposed recommendations.

As stated in a well-known Cloud security blog, it is the time for Cloud security resolutions, not just recommendations or predictions.

Yes, I was trying to attract your attention with a “British tabloid” style heading here. The news is not at all so radically new, but now that I attracted your attention I beg you pardon and kindly ask you to allow me 4 minutes to sum up Amazon’s “new” billing model

Amazon announced spot pricing for cloud compute instances. EC2 customers can indicate their own price, and Amazon EC2 will bring compute instances up at variable discount prices according to these “bids” [1].

This move is in sync with their strategy  extra-cost reserved instances, which is regarded as an evolution by many, but, frankly resembles previous allocation models in Grid computing. Again, nothing new under the sun. Indeed, auction systems supported by software agents and expert systems have been in the market for long long time.

In [1], the authors raise a very interesting question that we generalize and rephrase here: Are different billing models needed for different Cloud service types? How many do we need per service type? Is the billing model the only important parameter here?

From this humble Internet corner, we bet that automated bidding systems will play a role for massive service provision and better prices to be acquired. Still, some important features are still missing such as for instance custom billing support for “VIP” clients.

[1]  http://web2.sys-con.com/node/1220487

A few weeks ago, the European Network and Information Security Agency (ENISA) released a document highlighting relevant topics for Cloud security.

In their “Cloud Computing: Benefits, risks and recommendations for information security” report, European experts analyze the main threats for Cloud security adoption.

Stating that the “major conclusion of the report is that cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective” is, at best, a short outcome for 123 pages.

The report lacks a detailed state of the art, its results being partially based on the perception as obtained in a survey to SMEs whose sample space is very very limited and can hardly reflect the diversity of SMEs in the EU. Lacking appropriate state of the art resulted in very general research recommendations for investigators and somewhat vague indications for Cloud users. We missed more concrete mechanisms and a specific section for Cloud providers to increase their provided security levels, which cold certainly help European companies to engage more clients to their CLoud businesses.

Read the rest of this entry »