Cloud security: The basics
The Cloud Security Alliance and others are working to define security requirements for SaaS, IaaS, and PaaS cloud computing models.
By Mary Brandel
June 15, 2010 — CSO —
Cloud computing is one of the most-discussed topics among IT professionals today. And not too long into any conversation about the most highly touted cloud models—software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS)—the talk often turns to cloud security.
According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises—what some call a private cloud—because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.
Read the companion article "Cloud security in the real world: 4 examples"
"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner. "The things that make it easy and appealing—like the immediate plug-and-play productivity—also make it impossible to conclusively assess your relative risks." Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.
For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they're buying. "That will be quite a radical change and a disruption," he adds.
In the meantime, organizations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organization divided the domains into two broad areas: governance and operations.
cloud security
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Utility Mandate: Software Security for the Smart Grid
- Risk-driven Compliance and Security Management
- CyberAttacks ... Are you protected or prepared to pay?
- Addressing the Grand Challenge of Cloud Security
- Cloud Computing Defined and Demystified
- Cloud Computing: The Next Major Driver of Business Innovation
- Take the Cost, Complexity and Frustration Out of Two-factor Authorization
- Conquering Compliance for Dummies
- Practical Approaches for Securing Web Applications
