14 Comments

Summary:

In what could turn out to be a giant leap for cloud computing, a collection of cyber security experts from across the IT spectrum has launched the Cloud Security Alliance. The group’s stated mission is to promote best practices that ensure security in the cloud, and founding members include everyone from Jim Reavis, co-founder of Reavis Consulting Group, to David Cullinane, chief information security officer at eBay, and Alan Boehme, senior V-P of IT strategy and architecture at ING. The CSA’s aim is not, however, to make the cloud ready for the enterprise, but to make sure it remains usable.

In what could turn out to be a giant leap for cloud computing, a collection of cyber security experts from across the IT spectrum has launched the Cloud Security Alliance (CSA). The group’s stated mission is to promote best practices that ensure security in the cloud, and founding members include everyone from Jim Reavis, co-founder of Reavis Consulting Group, to David Cullinane, chief information security officer at eBay, and Alan Boehme, senior VP of IT strategy and architecture at ING.

I spoke with founding member Paul Kurtz, partner at Good Harbor Consulting, to get some details on the news — and I was a little surprised by what he had to say. While questions still remain in areas like data retrieval and identity management, Kurtz believes cloud computing is already secure enough to be used by large enterprises for mission-critical tasks. In fact, he thinks there are many security advantages to cloud computing. These include rapid software updates and upgrades, and, depending on the provider, multifactor authentication. It’s the outsourcing of IT operations to a third party that makes execs “swallow hard,” but he notes that even large banks already have run SAS 70 audits and assured themselves they can get what they need from the cloud.

With this in mind, the CSA exists not to make the cloud ready for the enterprise, but to make sure it remains usable. “The point is to think about security now, not after we’ve had a big event,” he told me; you don’t want to retrofit a fix. And given the “intense gravitational pull” of all things into the cloud, now is a timely moment to convene this consortium of practitioners. Thus far, Kurtz is not aware of any successful attacks on the cloud, but he points out that there’s no harm in being ahead of the game.

Kurtz, who advised President Bush on critical infrastructure protection and looked at information security for the Obama transition team, says the cloud is even ready for the security requirements of the federal government. “The real question,” he noted, “is whether the federal government is ready for cloud computing.” For example, the Federal Information Security Management Act (FISMA) was developed with client-server architectures in mind, and it still requires agency-by-agency accreditation for each individual vendor. This process becomes highly repetitive with the cloud model, though, where each agency would be testing the same system over and over again.

But change could be on the way. Kurtz says Vivek Kundra, administrator for e-government and IT for the Office of Management and Budget (essentially CIO for the federal government), is a big proponent of the cloud. (Check out this video of Obama’s TIGR team, including Kundra in his previous role as CTO for the District of Columbia, touting cloud computing.) Several agencies already are considering how to leverage the cloud, and Defense Information Systems Agency (DISA) CIO John Garing told me in October that he supports the formation of a single entity to provide computing services to all of the federal government. Such a sweeping change would have to come from the White House and Congress, he said, and that possibility seems a lot more likely with our pro-cloud executive branch.

Even before its official launch at the RSA Conference later this month, the CSA seems more legit than the “vapor tiger” Open Cloud Manifesto. As opposed to over-competitive vendors proposing — and quibbling over — non-binding, non-functional principles, the CSA comprises actual cloud users and security experts, and it already has 15 specific areas in which it plans to issue actual deliverables throughout the year. Such alliances already have borne fruit in web services and grid computing, so there’s reason to have faith in the CSA.

Related research

Subscriber Content
?
Subscriber content comes from Gigaom Research, bridging the gap between breaking news and long-tail research. Visit any of our reports to learn more and subscribe.
By Derrick Harris
  1. I think that cloud viability goes beyond SAS70 and data security. The real question is whether the big market slice of small and medium biz owners that wish to cut from internal to hosted grid….can get insurance underwriting to cover continuity. There is no policy underwriting for thinly capitalized cloud providers, and likewise, no one willing to insure business application performance even when running on the giants.

    Share
  2. There are several elements, as Alan says above, there is the underwriting of Cloud providers (or hosting centers as they used to be called about 3 months ago) then there is a requirement for federated services to enable smooth roaming of user identity from one provider to another to access different resources; combined with the need for an increase in bandwidth and speed (which is something that a lot of the world still struggles with outside of metropolitan areas).

    But security is the key issue; whilst organisations are happy to outsource discreet silos of information (such as those using Salesforce) there are still major security concerns with no mechanism for end point analysis or integrity checking and feedback to allow for sense and respond functionality within the applications (e.g. the client has AV but not on a known device so certain functions are disabled within the application).

    Until these types of issues are resolved then Cloud will struggle as did Application Service Provision (ASP) at the turn of the century.

    Thanks

    brian

    Share
  3. Derrick Harris Tuesday, March 31, 2009

    Maybe we spoke too soon. GoGrid just got tagged by a DDoS attack that downed some customers.

    You can find some details at http://www.gogridstatus.com/.

    Share
  4. This confirms some of the inevitability of the Cloud. The economy, the political climate, and the technology are coming together.

    On a lighter note, Good Harbor Consulting (where Kurtz works) is led by Richard Clark, former White House Security Advisor. So it carries some weight. http://idisposable.net/2009/03/31/jack-bauer-says-the-cloud-is-ready-for-the-enterprise-sort-of/

    Share
  5. The introduction of the Cloud Security Alliance (CSA) is a great addition to the cloud computing market and will no doubt keep a watchful eye on the innovations and regulations that are created. With the notice of attacks on GoGrid, the launch of the CSA is justified as documentation can take place to hinder future attacks in similar circumstances. With many corporations becoming more comfortable with the cloud and new vendors jumping into the market every day, a larger security alliance is just what cloud computing needs to oversee its development. – Julien Courbe, BearingPoint

    Share
  6. [...] articles by Zemanta Experts Get Serious About Cloud Security (gigaom.com) Cloud Jackin, Hacking the Cloud (elasticvapor.com) RSA 2009 Conference Session on [...]

    Share
  7. [...] Stacey Higginbotham | Monday, April 6, 2009 | 4:00 PM PT | 0 comments Last week the Washington Post published a big article in which it lists a variety of software-as-a-service applications trying to get government business, and notes how many federal agencies are leery of things like Google Docs and cloud storage because of perceived security concerns. I came away from it thinking what a shame it is that the government, and likely many average citizens, has such a bad perception of cloud security when in fact their own internal networks are not likely to be nearly as well guarded. [...]

    Share
  8. [...] Single Sign-On for the Cloud (readwriteweb.com) The safest place to store your data (cbc.ca) Experts Get Serious About Cloud Security (gigaom.com) FTC urged to investigate Google’s hosted services (macworld.com) Can the Cloud survive [...]

    Share
  9. [...] Experts Get Serious About Cloud Security (gigaom.com) Filed under: Information Security Tags: Business, Consultants, Information Security, PCI DSS, Risk management, Security [...]

    Share
  10. [...] integrate into existing IT environments easily and address the common concerns around privacy, security, integrity, performance and availability. Widespread adoption, in other words, is already [...]

    Share

Comments have been disabled for this post