The cloud -- and outsourcing in general -- breaks off pieces of the stack beneath any given application. That removes the stack from an enterprise CISO's control, and that's not good.
That, according to Wendy Nather, a senior analyst in The 451 Group's enterprise security practice. She spoke out about the problem at the firm's client security event Dec. 1
Even consolidated security offerings that try to unify the stack are no longer as useful, said Nather, in a presentation entitled, "How the Cloud Breaks Application Security (and a lot of other things)."
There's less to manage, she noted, and unifying management technologies like identity and access management and governance risk and compliance have less to work with, too.
MORE ABOUT SECURITY AND THE CLOUD
- 2010: Security for large-company cloud providers
- 2010: In Security Outsourcers We Trust
- 2010: Akamai releases 'game changing' cloud-based payment service
- 2010: Cloud security strategies: Where does IDS fit in?
The visibility and standards that the cloud needs are being adopted by providers, though. For example, Nather said, the Payment Card Industry Data Security Standard (PCI-DSS) is increasingly being seen as an overall security standard even outside the payment card industry.
Application security, which Nather said has a lot of moving parts, is in need of a visible, simplified standard such as PCI DSS. There are growing opportunities for centralized internal security management services, hands-on application remediation services, and commercial applications that could be voluntarily "pre-assessed" on an ongoing basis as a market differentiator, she said.
"In a standards and visibility vacuum, this is what we see being picked up to enable businesses to move forward," Nather said in an interview with CSO. "Areas such as identity management are having to adapt to the cloud, fracturing the governance model as well. The job of a CISO is increasingly becoming about not just policy creation and risk management, but contract and supply chain management."
One option is to manage the security gaps through contracts with service providers, and through the use of industry standards, she said.
Read more about cloud security in CSOonline's Cloud Security section.
This story, "The Cloud That Broke the Stack" was originally published by CSO.