RSA Keynote: Cloud's Future Depends on Security

Cloud computing has the ability to complete the transformation of information technology that was started by the Internet, but its success depends on security, said Art Coviello, RSA president and EMC Corp.'s executive vice president, on Tuesday in his opening keynote of this week's RSA Security Conference.

"The journey to the cloud is inevitable, and we are going to have to secure it," he said.

Cloud computing has the ability "to make sweeping changes in the infrastructure" by freeing organizations of the need to spend two-thirds of their IT budgets on basic expenses. Instead, they can invest in resources on-demand, he said. "But we have to be careful we don't end up in security hell."

Scott Charney, Microsoft's vice president of trustworthy computing, said cloud computing has new implications for the company's 9-year-old Trustworthy Computing Initiative. It moves the goal of end-to-end trust out of the PC or the enterprise and into a new environment where no one entity has access or authority. Identity authentication and privacy will be the key elements in enabling cloud computing, Charney said. 

RSA has announced an initiative with VMware, Intel and Archer Technologies to enable the visibility into cloud security that will be required to ensure that policy and regulations can be enforced in the virtual environment. Microsoft has announced that it is making cryptographic algorithms for its U-Prove minimal disclosure ID management scheme available for use under an open source license.

Coviello said the security industry has the opportunity to ensure that security is built into cloud computing from the beginning so that it can be used to its full potential. "People must be able to trust the cloud," he said.

In this early phase, there is little critical information and few critical applications being used in the cloud, so security requirements have not yet been demanding. But as adoption expands and risks increase, "security will get pushed down the stack, deep into the virtual layer," he said. As resources are outsourced, the ability to enforce and document policies, and demonstrate regulatory compliance will be needed, he said.

The movement of data into a virtual environment not controlled by individuals requires a rethinking of how we approach identity management, Charney said. Enabling security along with privacy requires the ability for a user to prove the minimum necessary information about himself during a transaction, without exposing unnecessary information. That is the purpose of the U-Prove scheme. It is "claims-based" identity system based on proving certain claims about the user without including the entire identity if not necessary.

Charney warned there are also social, political and legal issues that will have to be addressed as more data moves into the cloud.

"The cloud has the ability to alter the balance of power between the individual and the state," he said. "Everything will go to the cloud. Government and litigants can go to the cloud and get that information without coming to the individual."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Adds Privileged Identity Management Delegation to Azure Lighthouse

    The commercial release of Privileged Identity Management (PIM)-enabled Azure Lighthouse delegations is now available, Microsoft on Monday announced.

  • Microsoft Commercially Releases Entra Workload Identities

    Microsoft announced on Monday that its Entra Workload Identities service is now available as a commercial product offering, having reached the "general availability" stage.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • OpenSSF Adopts Microsoft Open Source Software Security Guidelines

    The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.