Cloud Security Standards for the Rest of Us(只提供英文版本)
Date : 30 Dec 2014
Organisation : Cloud Security Alliance
Writer : Michael Yung
In early 2014, I presented a session about Cloud Security Standards in the yearly ComputerWorld / KornerStone Cloud Security Forum, and one question kept popping up in the event was – “Why Cloud Computing ?”. That puzzled me a bit as I thought all of us aware of the benefits of Cloud Computing – services on demand, pay as you go, and improve development agility etc. etc. So I answered the question with another question – “Why Not ?” :
Yes, why not ? As you may expect, the typical answers from the floor were “Poor Security !” and “Concerns in Data Privacy !” … Those are concerns, I agree, but those are not facts. Instead I believe the first few things the business users and CTO / CIOs shall consider are some other psychological barriers.
For examples – Perceived loss of control; Lack of clarity around responsibilities, liabilities and accountability; Lack of transparency / clarity in SLA / interoperability / awareness and expertise. Those barriers are very real, because once you performed a proper risk assessment of deploying Cloud into your business, and also tackle those barriers, you will find security and data privacy are not major concerns; but more on something the company and the IT team shall handle and tackle professionally.
The facts are many enterprises push back on cloud computing because it isn’t cosiderd secure. But the truth is that data and systems residing in public or private clouds are as secure as you make them. Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required. More importantly, cloud is real and here to stay.
And what I meant by handling professionally is before jumping to the conclusion that Cloud Computing is not secure, first ask yourself questions like when and where to use Cloud; outline the Service Level Objective you need; review the people skill set, process and change management maturity; and then lastly look for technical solutions.
Therefore we shall ask ourselves, when and where to use the cloud – in other words, the business cases. What are the service level objectives and then service level agreements. And then down to the best practises as well as technologies, sevices, vendors.
With all that said, one will still question how one can make sure the cloud services (IaaS, PaaS and SaaS) are secure. And that’s I think where Cloud Security Standards can help. It’s not a secret that we have dozens of Cloud Security Standards in the market, and in fact, all of them are important and relevant.
For examples, CSA, DMTF, ENISA, ETSI etc. etc.
With so many standards and guidelines, it is rather difficult to tell, whether a Cloud Services Provider (CSP) is already conform to certain standard(s), if you are now shopping for CSPs. Or hard to convince the customers that your company is conforming to certain standard(s), if you are one CSP. The only way I think, is thru Certification.
I believe with proper certification process, regular review and listings of all certified CSPs, customers can easily find the best CSP they want. With the same token, CSPs can easily prove to their potential customers that they are doing a good job.
So Cloud Security Standards may be not easy to define, complicated to comply with; but with certification process, it is easier to make whole things more fruitful to the standardisation bodies, the CSPs and the Cloud Computing customers.