So it's a matter of understanding what you can do, what they're going to do, and looking at it from a threat-modeling standpoint -- we know we're not going to be able to amend the contract to any great deal, so where are our exposures, and what do we have to do to address or mitigate those exposures when making that decision?
KINGSBERRY: When we went to Amazon we were in negotiations for months. We literally had our general counsel talk directly to Amazon and they had to modify their terms or we were not going to migrate. Microsoft as well. We literally restructured the whole agreement. And right when we were at the place of agreeing to all the changes made, Microsoft GovCloud was released. They learned from us what the federal government needed, and then the terms and conditions were rolled into the GovCloud we know today. The government was not going to come in if they didn't remove language about the possibility of our data ending up in third-world countries.
NW: So there is still a lot of learning going on and people on both sides have to be adaptable.
ROTHMAN: It's really early days when you think about the fact that we haven't been through a cycle of litigation and precedent, and that could take years. Until that happens, all this stuff is reasonably academic.
NW: How about the maturity of the cloud security tools themselves? Are they where they need to be?
ROTHMAN: You'll walk around the RSA Conference and everybody will say their tools don't need to change, everything works great and life is wonderful. And then after you're done smoking the RSA hookah you get back to reality and see a lot of fundamental differences of how you manage when you don't have visibility. How do you enforce network policies when you're restricted to security groups and you only have the ability to open up certain protocols? And you have access through APIs that may be gamed to terminate or reconfigure instances on the fly, without requiring administrative access to the cloud instance. You've also got different cryptographical hierarchies that are required to provide access to those instances. If the management tools are not built specifically to provide consistent access to cloud resources, wherever they are, things can go downhill pretty quickly.
So again, the idea of consistency is critical. But it's a management problem before it's a security problem. So now you have the ability to, within minutes, provision all sorts of servers. OK. But that creates an issue in terms of configuration management, in terms of patch management, etc. So on one hand the tools really have to be mature to overcome and instrument your lack of visibility in a cloud type of environment, but there's still a lot of blocking and tackling needed in terms of just the basic operational disciplines.
Sign up for CIO Asia eNewsletters.