I have been doing some research in preparation for an upcoming conference that I am helping to organize (The Open Group Security Practitioners Conference), where cloud computing security will be one of the big topics of discussion. I will likely be doing a lot of blogging on this topic…I see really significant security (and privacy) issues that need to be aired out, thought through, and resolved, if secure cloud computing for the enterprise is to happen. Things like:
- From a security concerns standpoint, cloud use cases are very different – a single enterprise using an application in the cloud like SalesForce or Netsuite, is very different the cloud collaboration use case, is very different from a developer level cloud API service, is different from using “storage in the cloud”
- Transparency (or lack thereof) of the security controls used by the cloud provider. Saying that you have a SAS70 Type II means pretty much nothing…
- Validation and verification of cloud provider security controls by big customers- 3rd party vendor risk is a big deal in many industries, and in areas like financial services, it is not optional, it is required by law and by regulators. How are the cloud providers going to respond to an assessment request from a financial organization customer that asks 2,300 specific questions about controls? How will they react to a request for an onsite audit request?
- Compliance impacts- regulations such as PCI are pretty prescriptive about the security controls. Same for GLBA/FFIEC. How will that translate to cloud services? Here’s a prediction, the first cloud service provider that gets proactive about documenting their compliance posture relative to compliance regulations in a specific niche like PCI will do very well.
I wonder if the big cloud providers really understand the barrier to adoption that security concerns represent for large enterprises?
BTW, one of the great things about SBN, Twitter, etc. is the “group learning” that goes on. My hat is off to Hoff, Mogull, and others who spend a lot of time thinking about these issues, who are able to distill things down to core issues, and to communicate things clearly.
Jim
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
