BARCELONA, SPAIN: A spate of data breaches in the recent months has created doubts about
security in the cloud. Yet, Citrix, the virtualization giant, is moving ahead with its vision  to enable its customers "work and play from anywhere".

The company believes that concerns surrounding the virtualization or cloud adoption are a matter of time and believes that cloud would be adopted more aggressively in future.

In an interaction with CIOL on the sidelines of Citrix Synergy 2011 Barcelona, Kurt Roemer, Citrix's chief security strategist on cloud security, talks about Citrix initiatives to strengthen cloud security, the aggressive adopters of cloud and efforts by security community to bring out common guidelines on cloud adoption.

Here are excerpts:

Q: What is the impact of recent data breaches on cloud adoption?

Kurt Roemer: There have been a number of data breaches in the recent past and this has made people lose trust. But we are also seeing more people buying cloud services by asking the right questions and getting what they need for security upfront.

It is interesting to note here that cloud service providers are also enabling more security features as you set up applications in the cloud.

We in Citrix have been continuously working on providing a secure foundation with the hypervisor, security throughout CloudStack, throughout desktop workloads, even in things like ShareFile.

Q: How do you see SMBs adopting cloud services in the present security landscape?

Roemer: In fact, SMBs are more aggressive adapters of cloud as they lack access to IT resources as in larger organizations. When you are going to bring applications online, you can either go out and hire IT staff, install (everything you need), purchase all the equipment, have it configured and two years later you are broke or, well you see what I mean.

Cloud services are attractive as they bring agility. Cloud has been a real enabler to small and medium businesses. Cloud providers have been focusing on them. Even Citrix has continued its focus with our support of SMBs with VDI-in-a-Box.

Q: What about more security-conscious enterprises? Will the public-cloud ever be suitable for them?

Roemer: There has been some concrete works under way to show that cloud computing can be effectively used for very sensitive workloads. The payment card industry (PCI) and the Cloud Security Alliance (CSA) provide very specific guidance on cloud adoption.

In the US, the Obama administration has taken several steps in this regard. Under the newly adopted Cloud First system all new applications must be considered in the cloud first.

The Cloud 2 commission (Roemer was a member of this) has provided advice for secure use of the cloud for the government. The same has been sent out to the private sector as well. The commission has recommendations which guide enterprises on safe cloud adoption.

Q: Don't you there is a need for one standard guidance than having numerous advisory boards which come out with different guidance?

Yes, we do not have the guidance on the same page as of now. But there are some projects to try and unify and tie them together. The CIA and NIST (National Institute of Standards and Technology) have been doing the same. Their cloud computing guidance is continually updated referencing many of the other best practices across the industry.

An organization can go out and audit for that, architect for that and make sure they have a rigorous set of objectives they can use.

Q: There is a lot of concern in Europe about the Patriot Act. What's your view on this?

Roemer: US companies are subject to the Patriot Act, but there has been many interpretations of the Act. But none has a clear visibility to its enforcement.

The Act intends to check criminal enterprises and terrorists that are really compromising all our lives. This has discouraged some companies from doing business in the US. This has allowed regional clouds to pop up.

The problem pops up when a company may have customers in the US, a division in the US or you might have some data that needs to reside in the US… how does the Patriot Act apply?

Q: Given the concerns expressed in Europe, do you want the Patriot Act amended?

At this stage I can’t even predict or comment on whether there would be any changes to the Act.