I interviewed Kurt Roemer for this topic. Kurt is Chief Security Strategist for Citrix Systems and a member of the CTO Office. He’s a seasoned information security veteran with more than 20 years experience in networking, applications, and the evolving Web services infrastructure markets. He has designed, implemented, and assessed solutions and policies for Fortune 1000, mid-size, and government organizations worldwide. Roemer is a CISSP and has spoken at a wide variety of leading industry shows and conferences across the globe including BITS, CSI, RSA, Networld+Interop, Japan’s inaugural Web Application Security Forum, Society for Information Management, ITEC, SecureAsia and numerous regional ISSA and InfraGard conferences. He has also appeared as a security expert on CNN, Fox Business News, and the Fox News Channel and is well known for his popular “Web Hacking Live” sessions. Prior to joining Citrix, Kurt held roles as CTO/CSO at NetContinuum and headed up information technology practices at Micron Electronics, NetFRAME and Hewitt.
Q: Kurt, isn’t Cloud Computing competitive with Citrix?
A: In some ways, yes, but in many ways interest in Cloud Computing actually creates opportunities for Citrix. Our NetScaler and XenServer products are good examples of this. Both NetScaler and XenServer are powering major cloud providers today. We also have partners, such as 3Tera, who are hosting applications, using XenApp and XenDesktop, on the Cloud.
Q: It seems to me that Cloud Computing requires that you really trust the provider – after all you are turning over your valuable data to them – is this a consideration?
A: Yes. The old security mantra was that physical security trumps all. With the Cloud you lose control over physical security. The actual servers could be anywhere the provider decides to put them, factoring in availability and least cost. This is significantly different than a SaaS model, especially as you factor in access to data, backups, encryption keys and other security concerns.
When you sign an agreement with a provider you agree to pay for a certain amount of storage and resources like applications and are committed service levels. You lose control over the assets in some respects and therefore the security model must be refactored.
Q: The security concerns with this must make security professionals uncomfortable. Tell me more about what Citrix has to offer to improve this situation.
A: The fundamentals are encryption of data and access control to data. Citrix has recently introduced the Citrix Cloud Center, which is composed of several Citrix offerings. Access Gateway and NetScaler address encryption, and Access Gateway provides authentication services. In addition to the security features, the Citrix Cloud Center provides geo-location with NetScaler (where the user can be connected to different hardware in different regions in the world, but yet have all the same applications and capabilities), local data caching with WANScaler and orchestration with Workflow Studio. Citrix is also working with key ecosystem partners to enable end-to-end security in the cloud model.
Q: What is the future of security in Cloud Computing?
A: The ultimate solution is data level security. After all, sensitive data is the domain of the enterprise, not the Cloud Computing provider. Security will need to move to the data level so that enterprises can be sure their data is protected, wherever it goes. For example, with data level security, the enterprise can specify that this data is not allowed to go outside of the US. It can also force encryption of certain types of data, and permit only specified users to access the data. It can provide compliance with PCI. We are working with several partners in the data security area.