The best minds in cloud security are meeting today at the Cloud Security Alliance Private/Public Cloud Summit…no, not really. I just wanted to say that because it typifies the hype and marketing I often find in cloud computing model discussion. There are a lot of smart people here, though, and the presentations are interesting.

We have heard about compliance in a presentation by Symantec that should have been titled “Why SAS70 (still) has zero value”. Naturally the compliance presentation brought up the ubiquity of LAMP.

We also have heard from Dell about how they support LAMP, especially after their merger with Perot. They offer consulting services for LAMP, to get your company in the public cloud.

The Burton Group presented on the trust and identity models of private and public clouds, and how LAMP might be deployed.

LAMP? It’s the Linux Apache MySQL PHP (or Perl) model of computing. I guess it’s more PC (pun intended) to just talk about cloud computing instead of calling it enterprise LAMP.

eBay, also a cloud provider, presented on identity and encryption and how they are moving to a public cloud as a consumer. They didn’t mention LAMP but you know it’s in there. Instead they talked about how cool it is to deploy code to handhelds and phones…oh, yeah, and I’m sure they were developed by the best minds in cloud. Next please.

Aside from the LAMP angle, what stands out most to me is the notion of linear change. Every presenter is working with the assumption that traditional computing was transformed by virtual, which then became private cloud and will eventually achieve public cloud status.

This strikes me as awkward, if not completely skewed. Many people obviously are vested in the public cloud as the height of evolution (those selling products and services). Here’s a typical comment, found in the eBay slides:

“Private clouds do not offer the cost savings of public clouds”

Click. Next slide…wait, wait, just wait one minute. How is that cost measured? Are you considering privacy cost savings? What about control and compliance cost savings?

Long story short, I see an evolution ahead from proprietary but public cloud to distributed and open public cloud. This is like saying the true private clouds will come about just like LAMP. What do I mean by true private?

Remember how data was put on the Apple, IBM, Sun, Microsoft and Oracle etc. devices while they promised “cost savings” versus roll-your-own systems? LAMP grew and evolved and roll-your-own has again become the future of data management.

Look at the cloud option when you install Ubuntu 10.04 and you see a hint of the future cloud. They will be in loosely confederated private hands, rather than strictly in a “public” and proprietary model.

Those who advocate clouds achieve their final state as public only, in the large corporate and proprietary sense, seem to forget government regulators are a huge factor in confidentiality, integrity and availability. You want privacy? Oh, yeah, then don’t go proprietary. You want high availability (e.g. you can’t cut off someone’s service over a contract dispute or non-payment issue), then don’t go proprietary. Go LAMP, go open.

It seems to me thus that Amazon, Microsoft, Google cloud solutions are a stepping stone and not the end of evolution. We would be wise to call it the proprietary phase of cloud that will be followed by the movement to open platform cloud options.

The real end-state, the future after public clouds, could be something like a contiguous and private network created from appliance-like cloud apps meant to run on any system — like TOR or P2P. Imagine, for example, that every computing device owned by a company (laptops, desktops, handhelds…everything) could provide some portion of CPU, network and memory to their very own compute “cloud”. The role of security in all this will be to allow customers to deploy a free and open cloud infrastructure themselves without the need to hand over everything to a “provider” that they can never trust without real/tangible costs.

Nevada’s Senate Bill 227 came into effect January 1, 2010. It sets a new pace for regulations by defining encryption as “protection of data in electronic or optimal form, in storage or in transit”

(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:

(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and

(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.

Strange that they leave it open-ended what an established standards setting body might include. They will leave it to lawyers to decide, I suppose.

Also strange is that this is far more specific than the Nevada state breach law, SB 347, which requires data only to be made unintelligible (based on the definition in NRS 205.4742).

The law forbids the transfer of personal information or data storage device containing personal information without the appropriate encryption. Devices that must use encryption include cell phones, computers, computer drives and magnetic tape. Compliance with other standards such as PCI DSS, HIPAA, GBLA or FISMA will not be considered sufficient for SB 227.

Step in the right direction? Yes. Perfect? No.

I wrote about undisclosed or silent patches earlier, with regard to Microsoft and Google.

Another consulting firm now has made a public announcement about the same issue.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking.

I still give Microsoft credit for improving its practices significantly over the years. This is only a slight twist on that same issue. The risk determination is what the consulting firm is complaining about, rather than a patch with no evidence or notice as in the case of Google. The firm contends that Microsoft “‘misrepresented’ and ‘underestimated’ the criticality” of a patch. Microsoft has countered that the fixes were documented and would have been installed within the larger group of released patches.