Experts Get Serious About Cloud Security
In what could turn out to be a giant leap for cloud computing, a collection of cyber security experts from across the IT spectrum has launched the Cloud Security Alliance (CSA). The group's stated mission is to promote best practices that ensure security in the cloud, and founding members include everyone from Jim Reavis, co-founder of Reavis Consulting Group, to David Cullinane, chief information security officer at eBay, and Alan Boehme, senior VP of IT strategy and architecture at ING.
I spoke with founding member Paul Kurtz, partner at Good Harbor Consulting, to get some details on the news — and I was a little surprised by what he had to say. While questions still remain in areas like data retrieval and identity management, Kurtz believes cloud computing is already secure enough to be used by large enterprises for mission-critical tasks. In fact, he thinks there are many security advantages to cloud computing. These include rapid software updates and upgrades, and, depending on the provider, multifactor authentication. It's the outsourcing of IT operations to a third party that makes execs "swallow hard," but he notes that even large banks already have run SAS 70 audits and assured themselves they can get what they need from the cloud.
With this in mind, the CSA exists not to make the cloud ready for the enterprise, but to make sure it remains usable. "The point is to think about security now, not after we've had a big event," he told me; you don't want to retrofit a fix. And given the "intense gravitational pull" of all things into the cloud, now is a timely moment to convene this consortium of practitioners. Thus far, Kurtz is not aware of any successful attacks on the cloud, but he points out that there's no harm in being ahead of the game.
Kurtz, who advised President Bush on critical infrastructure protection and looked at information security for the Obama transition team, says the cloud is even ready for the security requirements of the federal government. "The real question," he noted, "is whether the federal government is ready for cloud computing." For example, the Federal Information Security Management Act (FISMA) was developed with client-server architectures in mind, and it still requires agency-by-agency accreditation for each individual vendor. This process becomes highly repetitive with the cloud model, though, where each agency would be testing the same system over and over again.
But change could be on the way. Kurtz says Vivek Kundra, administrator for e-government and IT for the Office of Management and Budget (essentially CIO for the federal government), is a big proponent of the cloud. (Check out this video of Obama's TIGR team, including Kundra in his previous role as CTO for the District of Columbia, touting cloud computing.) Several agencies already are considering how to leverage the cloud, and Defense Information Systems Agency (DISA) CIO John Garing told me in October that he supports the formation of a single entity to provide computing services to all of the federal government. Such a sweeping change would have to come from the White House and Congress, he said, and that possibility seems a lot more likely with our pro-cloud executive branch.
Even before its official launch at the RSA Conference later this month, the CSA seems more legit than the "vapor tiger" Open Cloud Manifesto. As opposed to over-competitive vendors proposing — and quibbling over — non-binding, non-functional principles, the CSA comprises actual cloud users and security experts, and it already has 15 specific areas in which it plans to issue actual deliverables throughout the year. Such alliances already have borne fruit in web services and grid computing, so there's reason to have faith in the CSA.
15 Domains of Concern
- Information lifecycle management
- Governance and Enterprise Risk Management
- Compliance & Audit
- General Legal
- eDiscovery
- Encryption and Key Mgt
- Identity and Access Mgt
- Storage
- Virtualization
- Application Security
- Portability & Interoperability
- Data Center Operations Management
- Incident Response, Notification, Remediation
- "Traditional" Security impact (business continuity, disaster recovery, physical security)
- Architectural Framework
