Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
New Security Certification On The Horizon For Cloud Services
- From: Howell, Paul
- Date: Thu Nov 05 09:33:19 2009
At
http://www.darkreading.com/securityservices/security/government/showArti
cle.jhtml?articleID=221600333
New Security Certification On The Horizon For Cloud Services
Cloud security cert would go beyond existing SAS 70, ISO 27001 standards
Nov 04, 2009 | 05:25 PM
By Kelly Jackson Higgins
DarkReading
A first-ever security certification dedicated to cloud services is in
the works amid enterprise concerns of the safety of their data in the
cloud.
There's no official security certification for cloud security service
providers today: some use the SAS 70 or the ISO 27001 standards as their
security certifications, neither of which is sufficient for providing
potential cloud customers with assurances that the provider has deployed
the proper security or that their data is sufficiently locked down,
experts say.
"There needs to be a certification that is specifically for cloud
providers," says Jim Reavis, co-founder and executive director of the
Cloud Security Alliance. The Cloud Security Alliance is working with
other key players in cloud security and auditing to determine which
organizations should provide the certification, as well as what such a
certification should include.
"This is going to be a shared thing," he says, noting that the
certification is likely to be managed by multiple bodies. He says to
expect a statement of direction for a cloud security certification
around the first quarter of 2010.
"We are seeing a lot of demand," Reavis says. "We've got to move pretty
quickly ... we've got some pressure" on us to get it done, he says.
But there's still a lot of work to do: Reavis says the entire cloud
model of computing as a utility and its dynamic characteristics makes
this a whole new ballgame for certification. "[Cloud computing] brings
everything into question: where the machines are, what is the nature of
data. If data is encrypted on the public cloud providers' [systems] and
the key held by a separate cloud [provider] -- is that even data?
There's some rethinking we need to do," Reavis says.
An enterprise's own security controls and their cloud security
provider's controls must go hand in hand as well, says Bret Hartman,
chief technology officer at RSA. "It's complicated with cloud computing
because there are multiple parties involved," Hartman says.
"I think it's time for us to think about what a cloud certification
would be ... and there would be different levels of certification
required," Hartman says. "It would be different than SAS 70."
SAS 70 is basically a set of self-defined certifications for the
internal business controls of an organization. It's everything from how
human resources handles backup checks to data backup, patch management,
and client administration, but it doesn't specifically address issues
affecting cloud-based services.
The main catch is that one company's SAS 70 certification isn't the same
as another's: "You define the controls as the service provider and the
auditor comes in and makes a judgment whether these controls are
sufficient or not" with testing, says Chris Day, chief security
architect at cloud computing provider Terremark, which is holds a SAS 70
certification. "SAS 70 is very enterprise-specific: my SAS 70 is
different from yours or IBM's, for example. It's difficult to know
whether my SAS 70 is more comprehensive as yours, which would be
troubling for something as complex as cloud security."
Day says PCI is actually a better standard to gauge data security
because it dictates a series of controls and how they should be
implemented, and what level of logging should be deployed. "We have SAS
70, but that it doesn't necessarily tell the whole story. SAS 70 is a
foundational certification," he says.
The Cloud Security Alliance's Reavis says ISO 27001 is actually better
for cloud services than SAS 70. "It's more holistic and covers more
ground," he says. ISO 27001 specifies how an organization should handle
is information security management, including security controls, risk
assessment, and other issues.
Like SAS 70, it's also self-defined by each organization that uses the
certification, however. "You can exclude from the certification some
very important things," Reavis says. Even so, he says, ISO 27001 makes
the most sense for now: "We feel that until we can get a cloud security
certification, ISO is a better interim step" because it's more broad
than SAS 70, he says.
But most cloud service providers don't even bother with SAS 70 or ISO
270001 certifications at all, Reavis says. "SAS 70 is the most common
certification for those who [cloud providers] are doing anything"
certification-wise, he says.
Dyke Hensen, CMO at PivotLink, a business intelligence provider that's
SAS 70 Type II-certified, says SAS 70 alone isn't enough for cloud
services, but it's as good as most mid-market companies have today
security-wise. "SAS 70 is a move in the right direction, but it's not
for everything," Hensen says.
Meanwhile, prospective cloud customers are starting to ask more
questions about the security of their data in the cloud. "What I hear
from customers is 'how do I know my data is being protected by this
cloud service?'" RSA's Hartman says. They want assurance that their
sensitive data is protected, and that they can demonstrate that to their
auditors and upper management, he says.
"If there were a widely accepted and reliable certification for this, it
would be a great way to address those requirements [for customers],"
Hartman says.
RSA and VMWare today released best practices for identity and data
protection in a cloud environment. Among the recommendations are setting
policies for protecting data; transparency of the cloud provider so that
customers can see their logs and events, for example; adoption of data
encryption and masking, so that your data isn't accessible by another
customer of the cloud provider; and federated identity management.
These are all areas that could be part of a cloud security
certification, Hartman says.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
