Alleviating security concerns -
Cashing in on the cloud
Raj Samani, VP of Communications, Information Systems Security Association UK, looks at providing transparency with cloud-based computing services
One of the results of an economic downturn is the realization that work must continue, but with less money. The recent report released by Forrester Research “Talking To Your CFO About Cloud Computing” has generated considerable interest. In particular, the promise that cloud-based services provide “a cash-flow-friendly alternative to on-premise installation for projects”.
Cloud computing is Internet-based computing or even outsourcing with greater and more rapid scalability. Shared resources, software and information are provided to computers and other devices on demand
Security Concerns
Although there are potential cost savings to be made a CIO.com survey revealed that cloud security concerns are one of the main issues that prevent the adoption of cloud-based services.
This message is repeated in a multitude of surveys, with security concerns being one of the main blockers for companies realising the massive (potential) cost savings of cloud-based services.
More specifically, the key security concern, according to a recent Gartner paper on cloud services, is the lack of transparency. Consider an internally provisioned solution; identifying who will be administering the systems that house corporate data can be easily determined by asking HR. Likewise, knowledge of where the information is hosted geographically is well within the CIO’s remit.
Compare this to the cloud-based provider, and suddenly knowledge of such relatively simple information can become considerably more difficult to acquire.
A security silver lining
A possible security answer could soon become available. The Common Assurance Maturity Model (CAMM) is a collaborative project made up of the biggest providers of cloud-based services. The working group also consists of regulatory bodies, industry associations, end user organizations, security vendors, and individual security professionals. Its purpose is to provide the transparency that cloud-based and potential customers crave with better security. The intention is to measure the level of maturity in managing risks to information that a provider may have, and provide the subsequent detail.
Crudely put, an organization can define the levels of maturity they want in different areas in terms of quantitative figures, then select the provider that matches. The net result of such a model is that organizations can effectively compare the security between internally provisioned services and cloud-based providers as simply as they can compare costs. This enables providing organizations to compare apples with apples, and ensures that security is included in an objective manner when determining where and how to host corporate data.
In addition to providing transparency with security, the project’s objectives include:
- Suitable for multiple environments: It is not being restricted to a specific geography or industry. It follows a modular approach with a core set of security requirements, but allows the input of additional modules that may be tailored to meet specific requirements. For example, a company that has to adhere to the PCI-DSS standard may wish to use the core controls, and plug a PCI module into their set of requirements.
- Comprehensive: It is a collaborative project with input from the key industry organizations, regulators and standardization bodies.
- Trusted: Higher levels of maturity will come from independent audits from trusted companies.
- Common language: Its aim is to provide a language that is accessible to executive management, CIOs and security professionals.
- Leverage existing security investment: It leverages controls from existing security compliance frameworks, which therefore reduces additional costs associated in complying with yet another standard.
- Help customers in making informed risk decisions in comparing the objectively or quantifiably provision of in-sourced or outsourced models.
Delivery of the initial set of controls and supporting guidance is anticipated in Q4 2010, with additional modules becoming available thereafter. Use of the CAMM means organizations can decide on the level of risk they are willing to tolerate when hosting systems, but also ensures that whoever hosts the information is employing adequate security controls to provide protection.
This level of due diligence and security is crucial to ensure compliance with the Data Protection Act, but more importantly reduces the risk of things going wrong. After all, you can transfer the burden of managing systems, but not the liability if something goes wrong.
For more security information:
Raj Samani,
Information Systems Security Association UK
Email: raj.samani-issa-uk.org
Website: www.issa-uk.org
back
