Blog Post

Experts Get Serious About Cloud Security

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

In what could turn out to be a giant leap for cloud computing, a collection of cyber security experts from across the IT spectrum has launched the Cloud Security Alliance (CSA). The group’s stated mission is to promote best practices that ensure security in the cloud, and founding members include everyone from Jim Reavis, co-founder of Reavis Consulting Group, to David Cullinane, chief information security officer at eBay (s EBAY), and Alan Boehme, senior VP of IT strategy and architecture at ING (s ING).

I spoke with founding member Paul Kurtz, partner at Good Harbor Consulting, to get some details on the news — and I was a little surprised by what he had to say. While questions still remain in areas like data retrieval and identity management, Kurtz believes cloud computing is already secure enough to be used by large enterprises for mission-critical tasks. In fact, he thinks there are many security advantages to cloud computing. These include rapid software updates and upgrades, and, depending on the provider, multifactor authentication. It’s the outsourcing of IT operations to a third party that makes execs “swallow hard,” but he notes that even large banks already have run SAS 70 audits and assured themselves they can get what they need from the cloud.

With this in mind, the CSA exists not to make the cloud ready for the enterprise, but to make sure it remains usable. “The point is to think about security now, not after we’ve had a big event,” he told me; you don’t want to retrofit a fix. And given the “intense gravitational pull” of all things into the cloud, now is a timely moment to convene this consortium of practitioners. Thus far, Kurtz is not aware of any successful attacks on the cloud, but he points out that there’s no harm in being ahead of the game.

Kurtz, who advised President Bush on critical infrastructure protection and looked at information security for the Obama transition team, says the cloud is even ready for the security requirements of the federal government. “The real question,” he noted, “is whether the federal government is ready for cloud computing.” For example, the Federal Information Security Management Act (FISMA) was developed with client-server architectures in mind, and it still requires agency-by-agency accreditation for each individual vendor. This process becomes highly repetitive with the cloud model, though, where each agency would be testing the same system over and over again.

But change could be on the way. Kurtz says Vivek Kundra, administrator for e-government and IT for the Office of Management and Budget (essentially CIO for the federal government), is a big proponent of the cloud. (Check out this video of Obama’s TIGR team, including Kundra in his previous role as CTO for the District of Columbia, touting cloud computing.) Several agencies already are considering how to leverage the cloud, and Defense Information Systems Agency (DISA) CIO John Garing told me in October that he supports the formation of a single entity to provide computing services to all of the federal government. Such a sweeping change would have to come from the White House and Congress, he said, and that possibility seems a lot more likely with our pro-cloud executive branch.

Even before its official launch at the RSA Conference later this month, the CSA seems more legit than the “vapor tiger” Open Cloud Manifesto. As opposed to over-competitive vendors proposing — and quibbling over — non-binding, non-functional principles, the CSA comprises actual cloud users and security experts, and it already has 15 specific areas in which it plans to issue actual deliverables throughout the year. Such alliances already have borne fruit in web services and grid computing, so there’s reason to have faith in the CSA.

14 Responses to “Experts Get Serious About Cloud Security”

  1. The introduction of the Cloud Security Alliance (CSA) is a great addition to the cloud computing market and will no doubt keep a watchful eye on the innovations and regulations that are created. With the notice of attacks on GoGrid, the launch of the CSA is justified as documentation can take place to hinder future attacks in similar circumstances. With many corporations becoming more comfortable with the cloud and new vendors jumping into the market every day, a larger security alliance is just what cloud computing needs to oversee its development. – Julien Courbe, BearingPoint

  2. There are several elements, as Alan says above, there is the underwriting of Cloud providers (or hosting centers as they used to be called about 3 months ago) then there is a requirement for federated services to enable smooth roaming of user identity from one provider to another to access different resources; combined with the need for an increase in bandwidth and speed (which is something that a lot of the world still struggles with outside of metropolitan areas).

    But security is the key issue; whilst organisations are happy to outsource discreet silos of information (such as those using Salesforce) there are still major security concerns with no mechanism for end point analysis or integrity checking and feedback to allow for sense and respond functionality within the applications (e.g. the client has AV but not on a known device so certain functions are disabled within the application).

    Until these types of issues are resolved then Cloud will struggle as did Application Service Provision (ASP) at the turn of the century.



  3. I think that cloud viability goes beyond SAS70 and data security. The real question is whether the big market slice of small and medium biz owners that wish to cut from internal to hosted grid….can get insurance underwriting to cover continuity. There is no policy underwriting for thinly capitalized cloud providers, and likewise, no one willing to insure business application performance even when running on the giants.