Wise Words from the Cloud Security Alliance

Wise Words from the Cloud Security Alliance

Why consider cloud computing? For most enterprises, the decision to move into the cloud is based on operational and financial needs. Says Dov Yoran, co-founder of MetroSITE Group, cloud computing is both a top-down push from management who see the cloud as a way to save money and a bottom-up grassroots effort from people in development and research departments who see the cloud as a way operate with more freedom.

Stuck in the middle are the security personnel.  “We recognize the security problems,” says Dov, “but because cloud computing is so new, there are a lot of security practitioners who aren’t so comfortable with the evolution to the cloud computing process.”

That’s where the Cloud Security Alliance (CSA) comes in.

The CSA’s goal is to provide a framework for security personnel to better understand the implications of moving infrastructure, data, and processing into the cloud environment. CSA was born in November 2008 at the ISSA CISO Forum in Las Vegas. Dov was one of the founding members of the group. 

While there is a long list of concerns regarding security in the cloud, Dov thinks the number one issue facing CISOs is control of the data. “You are moving data from your internal organization and your internal physical structures to a virtual environment,” he says. Once that happens, the ability to monitor who has access and who can control the data has shifted.  Moving data to the cloud, he adds, means corporate information is one more step removed from the company’s security.

That “one step removed” can be a boon to malicious company insiders. There will always be employees who seek to do damage through the computer networks, but the cloud can provide access that can more easily avoid the front lines of security.

It’s important to remember, Dov says, that everything that is cool and positive for the company working in the cloud is equally cool and positive for the bad guys. “Just as the cloud encourages a freer environment for enterprise, the cloud can also be used for phishing and password tracking.  This is environment is just as efficient for the criminal element.”

Finding cloud service providers you can trust is another concern that Dov points out. The ability to understand what they are doing with the information and knowing how much access to your information their employees have are things to consider when hiring service providers.

Before looking for a cloud provider, he recommends the CISO develop a risk assessment (if it hasn’t been done already) to help define what will be put into the cloud and how to leverage that information. When you meet with the cloud providers, you need to determine how mature an organization they are, particularly in relation to the nature of the data to be stored in the cloud. “You want to have access to the provider’s track record,” says Dov. “You also want to talk through the rules and responsibilities in case something does happen.  You want to define those details as much as possible in the contract.”

Visibility is key when working with a service provider, he adds. You want to know where and how to get access to the data.  Who is backing up the data?  Who outside the providers might have access?  These are all included in the questions to ask before signing on the dotted line.

So, once the data is in the cloud, what can the CISO and the security staff do to keep that information safe?

“You should think of the cloud as outsourcing,” Dov says. Consider how you protect outsourced data and follow similar models. “Make sure data is encrypted.  Know who is accessing the data.”

He recommends practicing security drills with the cloud service provider.  Stage an imaginary security breach to see how the provider handles the problem and to see what your abilities are to protect the information.

Of course, security of information in the cloud has to be practiced on the enterprise side as well. How can the CISO make sure corporate employees are following security procedures in a computing atmosphere that encourages the overall IT department to be hands off?

Training and defined policy initiatives, says Dov. “You have to make sure people in the organization are aware of the security problems in cloud computing. They have to know what they can and cannot do.”  The training should make clear what problems are out there and the consequences involved if security procedures aren’t followed. It’s also important to foster open communication during this process so employees can feel comfortable asking for guidance.

Monitoring tools should also be in place. There are tools available now to encrypt information going out to the cloud, as well.

One of the tools available is CSA, who has developed white papers and initiatives on improving security in the cloud. Essentially, CSA can help CISOs learn how to deal with cloud storms, Dov says, through governance and practice outlines.

Some of the research components of CSA include surveying the top threats in the cloud and investigating security issues that are unique to the cloud, initiatives that are updated on a regular basis. The group has put together a cloud control matrix, a tool that maps the domains of guidance through the five most popular compliance standards.  The Trusted Cloud Initiative fosters cloud service providers and gives them guidance for best practices.

CSA is forming an enterprise membership council, a group of large organizations, and the goal is to help provide a platform for service providers. “We’re going to help define what enterprise wants from the cloud and help prioritize what we need so we feel more comfortable using cloud services.” The council will provide a forum for CISOs, Dov says, and members of CSO Breakfast Club are encouraged to contribute.

In general, there are a number of ways CISOs and security personnel can be involved in CSA and learn what is happening in the front line of security in the cloud, which will benefit both the enterprise and the service provider.

“The company needs total security and that needs to be emphasized to the cloud provider,” says Dov.  And that’s the role of the security officer – in the middle, making sure the data is protected by all entities.

Dov Yoran is an original founding member of the Cloud Security Alliance. His full-time job is as co-founder and partner of MetroSITE Group, an advisory council to CISOs in the industry and emerging security technologists.