This article can also be found in the Premium Editorial Download "Information Security magazine: Inside the Data Accountability and Trust Act and what it means for security."
Download it now to read this article plus other related content.
Unless you've been living under a rock, you know that cloud computing is all the rage these days. Cash-strapped businesses are eagerly looking to move IT operations and applications to the cloud in order to cut costs. For enterprise security managers, this trend is nerve-wracking to say the least. Already battered by constantly evolving Internet threats and compliance demands, the last thing you want to do is lose control of your corporate data to a cloud service provider.
But you better figure out a way to deal with this cloud phenomenon. As several industry experts pointed out at the
More than one speaker at the conference described cloud computing as a train ride and security professionals should make sure they aren't left behind. Symantec Chairman John Thompson drew a particularly colorful analogy, comparing cloud computing to Mother Nature, against which it's futile for IT professionals to fight. He and other speakers urged security pros to embrace the trend as an opportunity for improvement.
What's to embrace from a security perspective, though? Cloud computing raises all sorts of issues. Depending on the model, there's a loss of control. There's the lack of visibility; some cloud providers are far from forthcoming about how they protect data. How do you maintain compliance with regulatory requirements and industry standards when working with a cloud provider?
And as Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, pointed out in a conference keynote, while there are a lot of reasons to move to the cloud, aggregating data creates rich targets for bad guys. Breach investigations can become problematic in multi-tenant environments, he noted. "Information aggregation will put pressure on identity," and the traditional user name and password method won't cut it anymore, he added.
However, there is a lot of work underway to tackle cloud security issues. Born two years ago, the nonprofit CSA is a broad coalition of security practitioners, industry experts, and vendors. The group, which has more than 13,000 members, has published security guidance on the critical areas of focus for cloud computing, a paper on top cloud computing threats, and recently unveiled the CSA Governance, Risk Management and Compliance Stack. The GRC stack is a set of three free tools designed to help companies, cloud providers and others to assess both private and public clouds against industry standards, best practices and compliance requirements.
To be sure, moving IT operations and applications to a cloud environment will require a shift in security thinking. Some, like Thompson, say it will mean a transition from focusing on securing devices and infrastructure to an information-centric approach. Focusing on protecting the truly sensitive data in an enterprise makes sense as traditional network perimeters continue to crumble with mushrooming numbers of remote workers and smart phones.
Certainly, there's a lot of hard work ahead for security professionals as companies forge ahead into the cloud, but be assured that there are a lot of smart people working to get ahead of the issues. There are tools and knowledge available that can help, and security pros should take advantage of them.
Thompson told CSA Congress attendees not to fear the cloud; the security industry will adapt and solutions will be found, he said. Speaking from 40 years of experience in the technology industry and having seen a lot of changes, Thompson's words carry weight.
Security is often criticized as reactive, but with cloud computing, security professionals have a chance to be proactive. At the risk of overusing the phrase, don't let the train pass you by.
Marcia Savage is editor of Information Security. Send comments on this column to firstname.lastname@example.org
This was first published in December 2010