Cloud computing security group releases report outlining trouble areas

By Robert Westervelt, News Editor 22 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The 83-page report, "Security Guidance for Critical Areas of Focus in Cloud Computing," outlines 15 areas or domains that need to be addressed, spotlighting two in particular: governance and operations within the cloud.

RSA Conference 2009 For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

The report outlines the framework that makes up many cloud computing architectures and then identifies three delivery models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). It also addresses governance and risk management issues encountered by companies and service providers. It recommends that service providers conduct regular third-party risk assessments and make the results available to customers.

Other domains addressed in the report include compliance and audit, recommending service providers adhere to SAS 70 Type II audits and ISO 27001 certifications, as well as a greater uniformity in comprehensive certification scoping. Encryption and key management, storage issues, application security concerns and virtualization security problems are also addressed in detail.

The fledgling organization launched this week at the 2009 RSA Conference to raise awareness about cloud computing security issues. In a presentation Wednesday, Jim Reavis, president of Reavis Consulting Group LLC and co-founder of the non-profit alliance, said the report should offer guidance to organizations implementing virtualization or seeking out a cloud computing provider.

"We selected the domains based on strategic and tactical pain points where virtualization is an important building block for cloud computing and governance domains are more broad and strategic," Reavis said.

During the last several years, companies have raced to implement virtualization or move data to cloud service providers, hoping to cut server management costs. Reavis said the Cloud Security Alliance plans to host events throughout the year to offer expert advice on cloud security issues, as well as provide additional reports outlining best practices for cloud computing implementations.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Dave Cullinane, CISO and vice president of global information security at eBay Inc., serves as one of the organization's advisors. At the RSA presentation, Cullinane said his firm was an early adopter of cloud computing and encountered a lack of information or best practices about securing data in the cloud.

"I thought it was time we start getting in front of this and at least look at it in terms of the security perspective," Cullinane said. "What we tried to do is take all the brilliant minds we had access to and get their ideas together."

Also serving as an advisor to the organization is Jerry Archer, vice president and CISO of Intuit Inc. Archer said Intuit saw that cloud computing was inevitable and currently uses it within its research and development organization.

"Today its experimental, but given the amount of personally identifiable information and transaction data, it's incredibly important to make sure that it's secure," Archer said. "It's important to make sure that you can understand what's going on in the cloud and manage the incidents and all the other issues going on in there."

Reavis said the organization would be all-inclusive and currently has a broad spectrum of members from individuals passionate about cloud security issues to vendors such as Microsoft, PGP Corp., Qualys Inc., Zscaler Inc. and others.

"We are not security people with our heads in the sand wanting this issue to pass by," Reavis said. "This is something that we believe is an inevitable transformation in computing."

Tags: Virtualization Security Issues and Threats,  Security Industry Market Trends, Predictions and Forecasts,  Secure SaaS: Cloud services and systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Web security strategy: Use cloud security services Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research Secure SaaS: Cloud services and systems Cloud computing in 2010: Be ready for risk management challenges Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation Web security strategy: Use cloud security services Cloud Security Alliance releases updated guidance Carefully evaluate providers' SaaS security model Should cities demand data breach penalties? How to justify information security spending on cloud computing Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary