CSA helps clear up cloud security questions

Uncertainty about cloud-service security is among the biggest barriers to adoption in the business world. Verifying a cloud service’s security is tough, especially because cloud providers are hesitant to reveal details — and understandably so.

Fortunately, a group called the Cloud Security Alliance (CSA) has emerged to help alleviate would-be customers concerns, and it’s becoming the de facto standard for cloud security guidance for service providers, users, and auditors.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Trust us, we’re secure Cloud providers’ hesitancy to share precise details of their offerings’ security doesn’t instill much confidence in IT security admins, but in many cases, it’s not a matter of vendors trying to be devious or hide something. Rather, as they are learning what it means to secure cloud assets and developing standards and controls, they are trying to come up with documentation that satisfies customer requests — without revealing too much information.

Observers in favor of cloud vendors revealing every detail of every security control often argue that sharing such data is akin to publishing a cryptographic algorithm for public review: Even if it is disclosed to the world, it should not result in a weakening of the provided protection.

But computer defense strategies aren’t crypto ciphers, and disclosing too much could help an enemy. There’s a reason why the world’s navies don’t announce to each other where all their submarines will be on a given day. There is value in keeping defensive strategies secret. As I’ve said before many times, security by obscurity does have value.

In order to protect their security secrets while addressing would-be customers’ questions, many cloud providers have hired third-party auditors to perform security audits and have then released the results to interested customers. Traditionally, the Statement on Auditing Standards (SAS) 70 Type II is the most common U.S.-based cloud audit standard you’ll see. Other cloud auditing standards have been developed, including CloudAudit, CloudTrust, and ISACA’s Cloud Computing Management Audit/Assurance Program. A few cloud providers have flashed their military or defense department accreditations. But there hasn’t been one global cloud-security auditing standard — until now, through the CSA.

Cutting through the haze of cloud security The Cloud Security Alliance comprises dozens of cloud service providers, including three of the four big IaaS providers: Google, Microsoft, and VMware. (Amazon is missing from the members list.) Other members include Cisco, VeriSign, American Institute of CPAs, the biggest accounting firms, and many antimalware companies.

The group’s mission is to promote the use of best practices for providing security assurance within cloud computing, as well to provide education on the uses of cloud computing to help secure all other forms of computing. The CSA doesn’t do cloud auditing itself, but rather provides guidance to its members and readers.

Four pillars comprise the CSA’s Governance, Risk, and Compliance (GRC) “stack”: Cloud Trust Protocol, Cloud Audit, Consensus Assessment Initiative, and Cloud Controls Matrix.

The Cloud Trust Protocol is an XML-based standard way of communicating cloud security assertions, evidence of those assertions, and affirmations. According to CSA, the protocol allows “transparency as a service” for privacy, security, and compliance needs. The CSA website has a good summary of the protocol [PDF].

CSA also offers “Security Guidance for Critical Areas of Focus” [PDF] that breaks down cloud security into 13 domains:

• Governance and enterprise risk management
• Legal and electronic discovery
• Information lifecycle management
• Portability and interoperability
• Business continuity and disaster recovery
• Data center operations
• Incident response
• Application security
• Encryption and key management
• Identity and access management
• Virtualization

The CSA has done a good job of highlighting all the computer security bases as they apply to cloud offerings.

The CSA’s Cloud Controls Matrix [XLS] is geared toward cloud service providers and auditors. It lists controls and maps them to popular compliance requirements: COBIT, HIPAA, PCI DSS, and so on. CSA’s Consensus Assessments Initiative Questionnaire [XLS] lists well over 100 questions that map back to the controls listed in the Cloud Controls Matrix. These documents are meant to be used together.

As with almost any other auditing control document, my only complaint is that the controls and control questions are fairly general in nature. For instance, it asks if data is encrypted at rest, which is a good thing, but it does not provide any clue as to how well this is done, even if the vendor says it is. The best encryption algorithms have been pushed aside by poor deployment practices. Unfortunately, very specific, technical details are rarely covered in any general security control guidelines, but at least you have a great starting baseline to work with.

If you’re considering a cloud service, find out how it maps to the CSA’s controls and other documents. For an example, see Microsoft’s Office 365 Standard Response Document. (Microsoft is my full-time employer.)

Even if your cloud service provider doesn’t currently map or work with the CSA’s auditing documents, you can use those documents to assist with making sure you ask the reasonable questions that any cloud user would pose and any cloud provider should be able to answer.

The CSA is not a perfect organization, of course. Like any independent, emerging standards body, it’s taken a few years to gain consensus and grow its membership. There are still a few notable missing members. I keep waiting for some of the computer auditing-specific societies to join, along with other big SaaS vendors, such as Salesforce.com. Its auditing controls and questionnaire could contain more details for my taste. Still, the group is accomplishing more than any other prior cloud standards body.

This story, “CSA helps clear up cloud security questions,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.