The Year of the Cloud
Vendors unite to address security issues
- By Margaret Dawson
- Jan 03, 2011
Nearly every day, a new report or headline touts the latest cloud
computing security scare. Take these recent news bits: only 47
percent of respondents believe cloud services are evaluated for
security before deployment; 60 percent of 1,600 senior executives
in 56 countries perceive an increase in risk from the use of cloud
computing and 48.1 percent said they are not confident a compliance audit of
their cloud-based apps would show that all user access is appropriate.
The hype about cloud computing is hard to ignore, as industry analysts, pundits,
bloggers, IT departments and CIOs all try to figure it out while being told
to leverage its agility and cost-effectiveness, yet given little guidance about how
to do so.
First, it is necessary to clarify an important point that cloud computing is nothing
more than a new consumption model for technology. This point gets lost in all
the hype, and people often talk about the cloud as if, by itself, it will create world
peace, or at least eliminate all technology woes. While it’s not a panacea, a cloudbased
consumption model does have clear, measurable benefits, such as faster
time-to-implementation, less infrastructure burden, more affordable pay-as-yougo
pricing and easy scalability up or down.
As with any solution, cloud-based products bring risk. Because putting your
infrastructure, Web development environment or application in the cloud takes
away IT control, the fears around data protection and overall security are understandable.
However, evaluating cloud security should be no different than evaluating any
other solution. A good cloud vendor should be able to withstand a security review,
produce security audit reports, prove compliance adherence and document access
control rules, among a number of other security-related best practices.
Not so long ago, network administrators thought putting an SSL VPN in the
DMZ was absolute foolishness, and there was no way they were going to allow a
“hole” in their firewall to let mobile workers access data on the corporate network.
The cloud is today’s deperimiterization argument.
Just as there are differences among products in any category, all clouds are not
created equal. There is not yet a standard by which to judge clouds; however, the
people in the cloud industry are moving in that direction.
The industry is responding to IT concerns about cloud security and lack of
standardization or criteria around cloud computing, and we are seeing the formation
of industry groups, forums and associations across vendors and standards
bodies. In 2011, this cooperation will accelerate, as much of the groundwork has
already been put in place in the last year.
Even the government is trying to help. For example, the National Institute of
Standards and Technology -- the folks who brought you the Federal Information
Processing Standards known as FIPS -- recently hosted a cloud computing forum
and workshop on next steps in developing cloud computing standards.
In Asia, 11 companies representing the computing, software, hardware and service
provider communities, including Cisco, Microsoft and Verizon, have pooled
their resources to form a nonprofit organization called the Asia Cloud Computing
Association or “Asia Cloud.”
One of the first organizations to create a unified recommendation for cloud security
was the Cloud Security Alliance. Born in 2008 from an idea and discussion
during a security practitioners’ conference, the ISSA CISO Forum in Las Vegas,
the founders have brought together academics, enterprises, vendors and experts to
develop guidance and promote best practices for security assurance within cloud
computing. CSA’s mission is to promote a common level of understanding between
the consumers and providers of cloud.
This might sound very “kumbaya,” but in two short years, the CSA has grown
into a strong organization that has successfully shifted the discussion on cloud
security. Today, it has more than 10,000 members and a myriad of resources. In
November 2010, the CSA hosted its annual Congress, and its published “Security
Guidance for Critical Areas of Focus in Cloud Computing” is in version 2.1.
The Open Web Application Security Project (OWASP) is another nonprofit organiza
and open community dedicated to improving the security of application
software. It draws its spirit from the open-source community and is focused
on the element of trust on the Web. The OWASP Top 10 identifies the 10 most
critical Web application security risks and also provides guidance on how to avoid
or avert these risks. Remember, a cloud solution is built on the Internet.
The PCI DSS compliance mandate, which is a must-have for the credit card
industry, includes the OWASP Top 10 as part of its framework. We also will see
regulations such as PCI DSS start to apply specific cloud security mandates to its
While anxiety over cloud security is not likely to go away anytime soon, we will
see heightened cooperation and focus by cloud vendors and the industry at large
to help companies increase confidence and understand when leveraging the cloud
is appropriate and safe.
In addition, as more companies employ cloud solutions, best practices will
emerge on the enterprise side from which we can all learn.
And we are already seeing a shift in attitude. In a recent survey we conducted,
84 percent of respondents said they believe sensitive data can be secure in the
cloud, while nearly half said they believe cloud solutions are as secure as on-premise
Survey results aside, you need to decide what is right for your organization. If
the business needs to move quickly to address customer needs, you most likely will
be looking to the cloud to solve the challenge. When you do, approach the cloud
solution with the same security requirements and criteria as you would any solution
in your own data center. And a reminder to my cloud vendor
brethren: The onus is on us to continue to raise the bar on best
practices, be compliant and develop SLAs that provide the most
secure environment possible to our customers.
This article originally appeared in the January 2011 issue of Security Today.