Trend Micro Reveals Cloud Computing Security Strategy

At the RSA conference in San Francisco, Trend Micro CTO Raimund Genes discusses the company's plans for building private clouds within public clouds.

For Trend Micro CTO Raimund Genes, talking about the cloud is nothing new. But now, things are slightly different; instead of talking about Trend Micro offering security services in the cloud, the company is examining the concept of securing the cloud infrastructure that enterprises are expected to adopt, Genes said.

"The last few years we invested in delivering security from the cloud ... and now, more and more security for the cloud [is what] you will see [in] the first products this year," Genes explained in a conversation with eWEEK at the RSA conference in San Francisco.

That starts with a focus on virtualization. Currently, the company aims to solve virtual security issues with its Deep Security technology, which transparently enforces security policies on VMware vSphere virtual machines. But looking ahead, Trend Micro is extending its encryption technology to virtual environments to help organizations build a "private cloud within a public cloud," the CTO said.

"To protect data in the cloud, Trend Micro works on a product which encrypts virtual machines in the cloud," he explained. "So you could build your virtual machine in-house [and] put it into Amazon's elastic cloud, but the machine will be encrypted. Only the one who has the key could access this VM in the cloud. Together with identity-based key management, this enables companies to use the cloud even for confidential data, customer records [and so on]."

Right now the encryption and key management product is being tested by some ISPs in Europe, and is expected to be ready in the second half of 2010, he said.

Securing cloud environments was a hot topic at RSA, and there was no shortage of vendors and analysts offering up opinions as to what enterprises need to focus on to make sure their data is safe. According to Genes, U.S. companies are adopting cloud computing faster than enterprises in Europe, which seem to be more worried about issues of compliance and data protection.

"[U.S. companies] are not as concerned as European ones, but still there are security concerns," Genes said. "Virtualization is adopted by 37 percent of U.S. enterprises. I don't have [the] percentage on cloud computing but the cost savings speak for themselves ... But without proper security, a lot of companies simply can't do it."

As a good rule of thumb, any cloud vendor should be held to the same compliance standards its customers have to comply with, Nils Puhlmann, co-founder of the Cloud Security Alliance, told eWEEK in an e-mail.

"While we encourage [companies] to use the CSA Guidance document to ensure [that] all areas of security domains are covered, different compliance regulations ask for very specific requirements to be met," Puhlmann said. "These requirements need to be met where the data is stored and handled."

Without the proper level of security and controls, cloud computing simply does not compute, Genes said.

"I would be scared to death to put customer data into the cloud without a guarantee from the cloud vendor that nobody else could touch my data," he said.