A new security architecture for the cloud

Members of the Open Group’s Security for the Cloud and SOA Project have launched a new security architecture for the cloud, to help security organizations better understand the unique security aspects of cloud computing.

The group has published a guide called “An Architectural View of Security for Cloud,” the first in a forthcoming series on security that will cover multiple areas beyond the cloud. Together, the guide and architecture are designed to help IT and security executives gain a more comprehensive view of complex cloud infrastructures and as a result make more informed decisions regarding the risks and opportunities.

Also see: “The cloud security survival guide”

The group’s intent is to produce “a set of whitepapers which will examine each of our architectural building blocks in greater detail through the use of business scenarios,” says Omkhar Arasaratnam, a certified senior security architect at IBM and co-chairman of the Open Group’s Cloud Work Group Steering Committee.

“The reality is that security in the cloud is not black or white, but really many shades of gray,” Arasaratnam says. “IT and security executives need to understand the impact which these shades of gray have on their overall risk posture, and take appropriate mitigating steps.”

The work the group is doing compliments what the Cloud Security Alliance (CSA) has been working on with regard to cloud security, Arasaratnam says. “The Cloud Security Alliance has published a number of excellent documents regarding various aspects of securing cloud computing,” he says. “We fully agree with many of them, in fact in our recent white paper we even cite some of their latest thinking regarding identity and access management.”

The group’s work is more focused on the architectural concerns of cloud security, Arasaratnam says, “where we find that the CSA work mainly [focuses] on technical controls such as device settings. Consideration of both are required to [secure] your cloud.”

CSA agrees that the work is complimentary. “The Open Group’s policy-based cloud security architecture white paper effectively leverages and aligns with CSA identity management principles for the cloud,” says Subra Kumaraswamy, co-chairman of the Identity and Access Management, Encryption & Key Management working group at the CSA.

“It is articulating the key security issues in the cloud: identity, entitlement and access management in the cloud,” Kumaraswamy says. “CSA’s current effort in the area of identity reference architecture will address all aspects of identity and access lifecycle including provisioning, authentication, authorization, federation and auditing and will be complementary to the Open Group’s efforts.”

The Security for the Cloud and SOA Project will host an “architectural decisions rodeo” at the Open Group Conference in Austin, Texas, July 18-22, to discuss key architectural decisions regarding cloud security.