The Year of the Cloud

Vendors unite to address security issues

Nearly every day, a new report or headline touts the latest cloud computing security scare. Take these recent news bits: only 47 percent of respondents believe cloud services are evaluated for security before deployment; 60 percent of 1,600 senior executives in 56 countries perceive an increase in risk from the use of cloud computing and 48.1 percent said they are not confident a compliance audit of their cloud-based apps would show that all user access is appropriate.

The hype about cloud computing is hard to ignore, as industry analysts, pundits, bloggers, IT departments and CIOs all try to figure it out while being told to leverage its agility and cost-effectiveness, yet given little guidance about how to do so.

First, it is necessary to clarify an important point that cloud computing is nothing more than a new consumption model for technology. This point gets lost in all the hype, and people often talk about the cloud as if, by itself, it will create world peace, or at least eliminate all technology woes. While it’s not a panacea, a cloudbased consumption model does have clear, measurable benefits, such as faster time-to-implementation, less infrastructure burden, more affordable pay-as-yougo pricing and easy scalability up or down.

As with any solution, cloud-based products bring risk. Because putting your infrastructure, Web development environment or application in the cloud takes away IT control, the fears around data protection and overall security are understandable.

However, evaluating cloud security should be no different than evaluating any other solution. A good cloud vendor should be able to withstand a security review, produce security audit reports, prove compliance adherence and document access control rules, among a number of other security-related best practices.

Not so long ago, network administrators thought putting an SSL VPN in the DMZ was absolute foolishness, and there was no way they were going to allow a “hole” in their firewall to let mobile workers access data on the corporate network.

The cloud is today’s deperimiterization argument.

Just as there are differences among products in any category, all clouds are not created equal. There is not yet a standard by which to judge clouds; however, the people in the cloud industry are moving in that direction.

The industry is responding to IT concerns about cloud security and lack of standardization or criteria around cloud computing, and we are seeing the formation of industry groups, forums and associations across vendors and standards bodies. In 2011, this cooperation will accelerate, as much of the groundwork has already been put in place in the last year.

Even the government is trying to help. For example, the National Institute of Standards and Technology -- the folks who brought you the Federal Information Processing Standards known as FIPS -- recently hosted a cloud computing forum and workshop on next steps in developing cloud computing standards.

In Asia, 11 companies representing the computing, software, hardware and service provider communities, including Cisco, Microsoft and Verizon, have pooled their resources to form a nonprofit organization called the Asia Cloud Computing Association or “Asia Cloud.”

One of the first organizations to create a unified recommendation for cloud security was the Cloud Security Alliance. Born in 2008 from an idea and discussion during a security practitioners’ conference, the ISSA CISO Forum in Las Vegas, the founders have brought together academics, enterprises, vendors and experts to develop guidance and promote best practices for security assurance within cloud computing. CSA’s mission is to promote a common level of understanding between the consumers and providers of cloud.

This might sound very “kumbaya,” but in two short years, the CSA has grown into a strong organization that has successfully shifted the discussion on cloud security. Today, it has more than 10,000 members and a myriad of resources. In November 2010, the CSA hosted its annual Congress, and its published “Security Guidance for Critical Areas of Focus in Cloud Computing” is in version 2.1.

The Open Web Application Security Project (OWASP) is another nonprofit organiza

tion and open community dedicated to improving the security of application software. It draws its spirit from the open-source community and is focused on the element of trust on the Web. The OWASP Top 10 identifies the 10 most critical Web application security risks and also provides guidance on how to avoid or avert these risks. Remember, a cloud solution is built on the Internet.

The PCI DSS compliance mandate, which is a must-have for the credit card industry, includes the OWASP Top 10 as part of its framework. We also will see regulations such as PCI DSS start to apply specific cloud security mandates to its requirements.

While anxiety over cloud security is not likely to go away anytime soon, we will see heightened cooperation and focus by cloud vendors and the industry at large to help companies increase confidence and understand when leveraging the cloud is appropriate and safe.

In addition, as more companies employ cloud solutions, best practices will emerge on the enterprise side from which we can all learn.

And we are already seeing a shift in attitude. In a recent survey we conducted, 84 percent of respondents said they believe sensitive data can be secure in the cloud, while nearly half said they believe cloud solutions are as secure as on-premise solutions.

Survey results aside, you need to decide what is right for your organization. If the business needs to move quickly to address customer needs, you most likely will be looking to the cloud to solve the challenge. When you do, approach the cloud solution with the same security requirements and criteria as you would any solution in your own data center. And a reminder to my cloud vendor brethren: The onus is on us to continue to raise the bar on best practices, be compliant and develop SLAs that provide the most secure environment possible to our customers.

This article originally appeared in the January 2011 issue of Security Today.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.