Zen 2.0

During RSA 2009, Cloud Security Alliance released its Guidance for Critical Areas of Focus in Cloud Computing (pdf). Below are the comments I made on twitter (using hashtag #csaguide). Later on George Hulme (@GeorgeVHulme) also posted his comments to #csaguide as well as written a blog post on it.

My Twitter Comments

Page 19, not sure about the tie of “private clouds” and “single-tenant (dedicated). For example, multi-tenancy is important even for the on-premise cloud within the enterprise. Also, the off-premise cloud piece (essentially an extension of the customer’s on-premise cloud) could be on a multi-tenant cloud. Other than that, i am kewl with the definition of “private cloud”..or maybe i am just not reading correctly..

There seems to be some font size issues with the Governance portion of the doc…or maybe it’s just my adobe reader.

Domain 2 on Governance reads like a list of things that’s designed for an outsourcing check list…and maybe it should be…but i wonder how likely a customer will get that from like google. Apologies to @jsbardin in advance, but seems like this domain is rushed…there’s a lot more context that can help readers. Domain 2 should really be “IT Governance” and not Governance in general. For example, it doesn’t cover corporate governance.

Wassup with the domain 3 with copyright to Francoise Gilbert? Domain 3 on legal issues is quite well written i think…covered a lot of the issues folks have been talking about.

Domain 5 on compliance and audit is a bit light as well…good stuff in there…but i think there’s a lot more can be said.

There seems to be quite a bit of overlap from domain 2 to domain 6…especially around data/information mgmt. Not necessarily a bad thing to keep hammering it in..but i wonder if there might be a better way to structure these.

Surprised at the shortness of domain 7 on portability and interoperatility…there’s pro’ly more to it i am sure..good start. Pro’ly at least 3 layers to portability…data, app, and server image (in the case of IaaS)…i think only the first 2 are covered.

Domain 8 covers some of the same issues as b4..but good list…can def’ly be expanded..good stuff tho.

A bit perplexed bout domain 9…not sure what the goal is for this write up…maybe i just need more brain cells.

Good issues being raised in domain 10…not sure if there’s a lot of guidance…must re-read another time.

Domain 11, page 65, “In an Infrastructure as a Service (IaaS) cloud platform”?? is it a cloud platform or cloud infra? Top of page 66…”local data storage is not persisted across machine restarts”…HUH?! wah? seriously? EC2 only maybe. Page 66 under “IaaS Impact”, “comparable controls do not exist by default..” again…says who? too limted of a view. Think domain 11 author should be diligent in how they use the word “platform”…could be confusing. Top of page 68, Figure 4, actually in many cases dev & test are outside and production is inside. So while figure 4 is valid for some, def’ly not for all. Again..lots of good stuff in domain 11…not sure i agree w/ everything…good start and write up nonetheless. Paas and saas section somewhat light.

Skipping domain 12 [for now]

Scanned domain 13…raises many good issues. [Re-read later]

Domain 14 again raises issues…but seems to be short on guidance. [Again, re-read later]

Not sure what to think of domain 15…must re-read later.