How the Cloud Can Solve Security Problems
Jerry Archer, board member of the Cloud Security Alliance, discusses how cloud computing will make security better for everybody.
Mon, August 22, 2011
CIO — Ask five different people a question about, say, cloud security, and you'll likely get five different points of view.
The cloud phenomenon is moving and morphing so fast that related disciplines, such as security, are hard to keep up with. Cloud-friendly concepts such as multi-tenancy and federated user authentication are challenging security vendors to come up with new and better counter strokes. But by the time they're ready, the cloud may have generated an entirely new set of security challenges.
Standards may or may not be the answer, since standards have a hard time keeping up with or anticipating fast-moving innovation. Yet there must be a way to standardize something, somewhere, to help bring structure and agreement to key concepts around cloud security.
That's where the non-profit Cloud Security Alliance comes in. Formed in 2009, the group today has 20,000 members and is regularly cited as a leading voice in the move to bring security to cloud computing. As Jerry Archer, a CSA board member and CSO for Sallie Mae explains, the organization doesn't aspire to be a standards body, but instead looks for ways to promote best practices around which users, IT auditors, cloud and security solutions providers can agree.
One outcome is the CSA's GRC stack, a suite of tools to help people assess and instrument clouds according to industry best practices, standards, and critical compliance requirements. Like all of the tools the CSA produces, the stack is free for anyone to download, as is membership in the group (although there is a fee for corporate sponsors).
In our talk with Archer, he explained more about how the CSA works and how we are not only going to solve the security problems in the cloud, but how the cloud will improve security for everyone.
Give us a high-level description of what the CSA does.
You can group what we do into five major areas. One, we're developing strategy, particularly around how you get into the cloud and what things you need to be conscious of. Two is education, to help educate people in cloud security issues. Three, we're building best-practices frameworks around audit and compliance, and we're translating some typical SAS 70 controls and other audit regimes into frameworks for the cloud. Four, we're looking at assessment issues - how to look at the cloud in terms of assessing security. And five, we're looking out to see what the future holds.
How does CSA determine what projects to work on?