Industry alliance seeks standards to eliminate the security concerns impeding cloud computing adoption.
Cloud computing offers enticing advantages such as reduced maintenance costs, increased flexibility and extreme scalability, yet many IT professionals remain fearful that sensitive data will fall into the wrong hands if their organizations rush into the cloud.
Their fears aren’t unfounded. For all its benefits, cloud computing has unique attributes that require risk assessment in areas such as data integrity, recovery and privacy. Cloud platforms can also have an impact on legal issues in areas such as e-discovery, regulatory compliance and auditing.
In a recent survey of hundreds of IT professionals, the Cloud Security Alliance (CSA) found near-unanimous agreement that security is the principal concern impeding the widespread adoption of cloud computing. Ninety-three percent of respondents said the need for cloud computing security standards is important, and 82 percent said the need is urgent.
“It’s clear from the survey’s findings that enterprises across sectors are eager to adopt cloud computing — but that security standards are needed both to accelerate cloud adoption on a wide scale and to respond to regulatory drivers,” said Jim Reavis, founder and executive director of CSA, a not-for-profit organization formed to promote best-practice security measures in the cloud. “Cloud computing is shaping the future of IT but, as this study shows in a variety of ways, the absence of a compliance environment is having dramatic impact on cloud computing’s growth.”
Among the survey’s findings:
While most organizations are experimenting with cloud computing, executives said they are still in the early stages of adoption. Security and management issues are leading many organizations to keep their cloud initiatives within their own firewalls. According to the CSA survey, private and hybrid cloud implementations are quickly gaining in popularity and will see increasing adoption over the next 12 months.
“Cloud services are clearly the next generation of information technology that enterprises must master,” said Reavis. “We have a shared responsibility to understand the security threats that accompany the cloud and apply the necessary best practices to mitigate them.”
The CSA also recently announced findings that detail the chief potential threats surrounding the use of cloud services. Specific security threats include exploits such as the Zeus botnet and InfoStealing Trojan horses, malicious software that has proven especially effective in compromising sensitive private resources in cloud environments.
However, not all threats in this category are rooted in malicious intent. As the social Web evolves, more sites are relying on application programming interfaces (APIs), a set of operations that enable interaction between software programs, to present data from disparate sources. Sites that rely on multiple APIs often suffer from “weakest link security” in which one insecure API can adversely affect a larger set of participants. Together, these threats comprise a combination of existing vulnerabilities that are magnified in severity in cloud environments as well as new, cloud-specific techniques that put data and systems at risk.
Rounding out the list of common cloud threats covered in the report are malicious insiders, shared technology vulnerabilities, data loss and leakagem and account/service and traffic hijacking.
To help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, CSA has announced a vendor-neutral initiative to deliver the industry’s first cloud security certification, education and outreach program. Known as the “Trusted Cloud Initiative,” it is a cooperative effort of CSA’s membership, which represents a cross section of industry stakeholders, end-user organizations, cloud services, SaaS and technology providers. These include Novell, Microsoft, Dell, Rackspace, Qualys, HP, Intel, Cisco, McAfee, Google, ISACA, DMTF and Symantec, as well as individual representatives from Global 2000 organizations and the world’s governments.
The certification criteria, seal and roadmap will be defined by members of the CSA. The educational outreach components of the program will be geared toward helping information security, IT audit and software development professionals within enterprises and cloud providers better understand the security, identity and access, compliance, data governance, portability and interoperability requirements organizations must maintain to demonstrate compliance and mitigate risk in the cloud.
“How identities are managed either in the cloud, or federated with the cloud, create significant barriers for enterprise adoption of cloud services,” said Alan Boehme, SVP IT Strategy and Enterprise Architecture, ING Americas, and current CSA board member. “By building a consensus security reference guide and certification roadmap, we are creating common ground for both enterprises and cloud providers, and expect to accelerate cloud adoption.”
