Cloud computing is in the news, though not in the way its proponents have hoped. While advertisers market the arrival of "the cloud" in
The computing industry is expecting widespread transformation to the new computing model that summons computing, storage and software on demand, often through third-party providers that might share computing resources and host their own services through more external service providers.
The mix of off-premise players and multiple connections has introduced
Analysts with Forrester Research are
"Some pre-Internet era companies like Sony may have shown a bit of hubris to the implications of cloud computing," says Mike West, Distinguished Analyst at
West says Internet-age provider Amazon were quicker to recover and saved face by providing visibility to its problems. But beyond accidental failures, more data breaches at
The National Institute of Standards and Technology within the U.S. Dept. of Commerce announced a program in 2009 to look at ways of securing information for federal agencies adopting cloud technology.
Last month, the group issued a
NIST is collaborating and taking input from groups like
In the private sector, the non-profit
In its 2011 summit, the group talked about standardizing best practices and collaborative incident response teams of programmers and security experts as part of a
Computer Security Incident Response Teams (CSIRTS) are described by CSA as the "cornerstone" of coordinated incident response and computer security information sharing for governments and large enterprises. The model has been used respond to incidents of malicious activity on the Internet.
Private consulting and security firms that secure Internet services are candidates to cope with challenges unique to cloud computing. Some mainstream vendors, including Microsoft and EMC are implementing cloud audits and internal SIRT through guidance bubbling up through CSA, according to EMC Chief Governance Officer Marlin Pohlman, who also co-chairs three CSA working groups.
"We're putting a lot of CSA workgroup activity directly into production and co-developing," Pohlman says. "It's part of the [cloud] procurement criteria and definitely beyond the point of tire kicking."
CSA is also building a new Wiki format version of Guidance for Critical Areas of Focus in Cloud Computing. The
Mushegh Hakinian is Security Architect at Intralinks, a software as a service provider and CSA member. Intralinks creates highly secure cloud-based exchanges for information sharing across industry verticals, such as capital markets conducting M&A, or life science firms sharing research.
While his own company was built ground up with service-based security standards, Hakanian says it's harder to maintain control where services are increasingly managed outside the business, on the cloud or otherwise.
"If you have email, it's probably outsourced, and for most companies that is more than 50 percent of your communication," says Hakanian.
Rapid growth calls for ongoing standards practice work, which Hakanian says is proceeding, even though there is no way to permanently offset any single attack.
"What a group like CSA can contribute, and what the vendors could do better is to actually use the many wonderful standards and documentation sets CSA has put out," Hakanian says. "The cloud controls matrix is comprehensive and covers everything from compliance to security architecture. You'd be surprised by how much of that is implied but not implemented."
This article originally appeared in