Secure Cloud Practices Still Ramping

Cloud computing is in the news, though not in the way its proponents have hoped. While advertisers market the arrival of "the cloud" in television advertisements, the new technology is gathering at least as much attention for a series of breaches and failures.

The computing industry is expecting widespread transformation to the new computing model that summons computing, storage and software on demand, often through third-party providers that might share computing resources and host their own services through more external service providers. 

The mix of off-premise players and multiple connections has introduced new risks. Beyond embarrassment to large brand names including Sony, Amazon and Google, it is feared that more failures will dampen enthusiasm for early adopters. 

Analysts with Forrester Research are predicting the cloud computing market to reach $241 billion by 2020, but near-term risk has come clearer in a series of incidents. After a security failure last month potentially exposed account information on 100 million users, Sony's Playstation Network was hacked a second time, resulting in ongoing intermittent downtime for paying subscribers. Amazon was forced to apologize for an April event that cause an extended outage to customers of its computing and database services.

"Some pre-Internet era companies like Sony may have shown a bit of hubris to the implications of cloud computing," says Mike West, Distinguished Analyst at Saugatuck Technology. "And now it's going to cost them in services that were paid for in advance." 

West says Internet-age provider Amazon were quicker to recover and saved face by providing visibility to its problems. But beyond accidental failures, more data breaches at RSA and attacks on Google's gmail accounts have raised awareness that criminal and politically-driven elements are actively looking to create mayhem or steal data held by sophisticated providers.

Government and non-profit groups are organizing to create standards for cloud computing and practices for defending it, though efforts are still ramping.

The National Institute of Standards and Technology within the U.S. Dept. of Commerce announced a program in 2009 to look at ways of securing information for federal agencies adopting cloud technology. 

Last month, the group issued a draft release of recommendations and will be accepting comments for a final version through June 13, according to NIST spokesperson Evelyn Brown. The final version will not be released until the end of this year. 

NIST is collaborating and taking input from groups like IEEE, which is very focused on cloud security, Brown says. "Our own work is also pushed by [federal CIO] Vivek Kundra who has pointed out the need for federal government and contractors to move toward appropriate applications of cloud computing."     

In the private sector, the non-profit Cloud Security Alliance (CSA), a group that includes prominent vendors, service providers, consultants and institutions was launched at a conference held by security specialist RSA in 2010. 

In its 2011 summit, the group talked about standardizing best practices and collaborative incident response teams of programmers and security experts as part of a 2011 roadmap that has only partially played out. 

Computer Security Incident Response Teams (CSIRTS) are described by CSA as the "cornerstone" of coordinated incident response and computer security information sharing for governments and large enterprises. The model has been used respond to incidents of malicious activity on the Internet.

Private consulting and security firms that secure Internet services are candidates to cope with challenges unique to cloud computing. Some mainstream vendors, including Microsoft and EMC are implementing cloud audits and internal SIRT through guidance bubbling up through CSA, according to EMC Chief Governance Officer Marlin Pohlman, who also co-chairs three CSA working groups. 

"We're putting a lot of CSA workgroup activity directly into production and co-developing," Pohlman says. "It's part of the [cloud] procurement criteria and definitely beyond the point of tire kicking." 

CSA is also building a new Wiki format version of Guidance for Critical Areas of Focus in Cloud Computing. The public Wiki guideline addresses 13 domains of critical focus in cloud computing in three sections covering architecture, governance and operations and builds on previous hard copy guidelines.

Mushegh Hakinian is Security Architect at Intralinks, a software as a service provider and CSA member. Intralinks creates highly secure cloud-based exchanges for information sharing across industry verticals, such as capital markets conducting M&A, or life science firms sharing research. 

While his own company was built ground up with service-based security standards, Hakanian says it's harder to maintain control where services are increasingly managed outside the business, on the cloud or otherwise.

"If you have email, it's probably outsourced, and for most companies that is more than 50 percent of your communication," says Hakanian. 

Rapid growth calls for ongoing standards practice work, which Hakanian says is proceeding, even though there is no way to permanently offset any single attack.

"What a group like CSA can contribute, and what the vendors could do better is to actually use the many wonderful standards and documentation sets CSA has put out," Hakanian says. "The cloud controls matrix is comprehensive and covers everything from compliance to security architecture. You'd be surprised by how much of that is implied but not implemented."

This article originally appeared in Information Management magazine and on its web site.