Group Forms to Attack Cloud Security Concerns

Few doubt the potential benefits of cloud computing and storage -- on-demand access to computing and storage resources where cost is directly correlated to system usage. But what about securing those servers, applications, and the data being hosted and managed by the cloud services providers? How does the service provider ensure the data remains confidential, isn't altered, and is always available when needed?

While cursory answers to those questions may satisfy many small businesses for some of the data they store and manage on cloud-based services, that's not good enough for IT systems being managed for government agencies, heavily regulated companies, or retailers that fall under the umbrella of Sarbanes-Oxley, the Health Information Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS).

Public companies, because of Sarbanes-Oxley, need to verify that adequate controls are in place to keep financial information secure from tampering and unauthorized eyes, and online retailers need to be certain that all of the many controls of PCI DSS are in place. If regulated businesses, or more importantly the auditors and regulatory authorities, are not convinced that cloud service providers are secure and they fail to properly substantiate the security they have in place, it's a showstopper for the technology's adoption by enterprise IT departments.

As more complex systems, and data with high business value, are moved to cloud services, so must nearly every aspect of IT security management. That includes everything from encryption and key management, e-discovery, application security and governance, risk, and compliance frameworks.

Industry participants created the Cloud Security Alliance, announced Tuesday, as a not-for-profit organization with the mission of promoting the use of best practices to providing security assurance within cloud computing."There are those in government who want the benefits of the cloud, but security concerns and compliance to government security standards have them considering building private clouds designed specifically for government use," explains Christofer Hoff, an independent security analyst and researcher and a founding member and technical adviser to the CSA.

To help ease the security concerns associated with the move to cloud-based computing, the CSA turned to experts within IT governance, law, network security, audit, application security, storage, cryptography, virtualization, risk management, and others to create the guidance necessary for organizations to securely make the move.

The group will deliver its initial paper later this month at the 2009 RSA Security Conference. The paper examines 15 specialties in information security, including security architecture, information lifecycle management and business continuity, and disaster recovery, and examines the risks and opportunities of each. "Initially, we are pragmatic advice in each domain that enterprises can use proactively to better protect their enterprise in its engagement with cloud providers," says Jim Reavis, a co-founder of the Cloud Security Alliance.

"Example issues we are hoping to provide timely advice toward are: How do I structure agreements to protect against secondary uses of my data? In an e-discovery scenario, how do I ensure that the cloud provider does not jeopardize a company's ability to preserve and produce required records and information? How do I assure data destruction? Are SaaS, IaaS, and PaaS equal in terms of portability to different providers, and if not, what are the risks and mitigation options available? How can key management be optimally used to leverage cloud computing to its fullest while narrowing the threat of data breaches?" Reavis says.

It's also early enough in the evolution of cloud services for organizations to have an impact in how those services are built so that they support good security and regulatory governance, says Hoff.2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.