The new Cloud Security Alliance (CSA) has a number of hurdles to climb if it expects to foster a meaningful discussion about cloud computing and provide useful data for organizations planning cloud implementations. The organization announced its formation earlier this month and plans to release a whitepaper in conjunction with its official launch at the RSA Conference in San Francisco.
The CSA is an interesting collection of personalities and interests that have demonstrated successes in security and Internet-oriented businesses. They founded the organization with a mission "to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing."
This is not the first, nor will it be the last, security alliance that was formed to get ahead of security issues that may stunt the growth of enticing new technologies. A search on "security alliances" will quickly uncover similar organizations including the Internet Security Alliance, Voice over IP Security Alliance, Document Security Alliance and Radio Frequency Identification (RFID) Security Alliance. Security practitioners are well-schooled in talking about potential security pitfalls in new technologies and in making best practices recommendations.
The primary issue that will determine the influence of the CSA is focus. A boiling ocean of scenarios can arise with so many diverse membership interests with ambitious goals. It can end with results that are too vague to be translated to practical steps for IT. The initial CSA mission statement and cursory domains of best practice research is extraordinarily broad.
To begin, there is not a universally accepted definition of the cloud. Market sizing and hype of cloud computing varies with IDC predicting a $42 billion market by 2012, Gartner seeing a 21.3% revenue increase in 2009 to $56.3 billion, and Merrill Lynch forecasting a $160 billion market by the close of 2011. Each firm uses different definitions behind cloud computing, which helps explain the wide variances in market sizing estimates.
A further example comes from the recently announced 159 member Open Cloud Manifesto group, which is attempting to work on six models of cloud computing:
- End user to cloud
- Enterprise to cloud to end user
- Enterprise to cloud (integration)
- Enterprise to cloud to enterprise
- Enterprise to cloud (portability)
- Private (intra) cloud
Whatever the cloud is, data storage and application processing is conducted off the corporate network, which means security will be a critical capability. While the manifesto organization presents use cases of cloud computing, the security alliance is tackling 15 "Domains of Concern" that would each qualify for its own security alliance organization:
- Information lifecycle management
- Governance and Enterprise Risk Management
- Compliance and Audit
- General Legal
- Encryption and Key Management
- Identity and Access Management
- Application Security
- Portability and Interoperability
- Data Center Operations Management
- Incident Response, Notification, Remediation
- "Traditional' Security impact (business continuity, disaster recovery, physical security)
- Architectural Framework
Like clouds themselves, expect the Cloud Security Alliance to start out broadly and then find an area where it can contribute positively. This is a massive undertaking without a great deal of customer experiences to draw upon. The CSA may be better served by first focusing on two or three of the domains and a few of the manifesto group's cloud models to get feedback from the IT community. IT should review the CSA work to cherry-pick ideas for RFPs and RFIs, as corporate requirements to evolve. Both the Cloud Computing Alliance and the Open Cloud Manifesto have LinkedIn groups and can use some help, especially from security professionals working in large enterprises with service provider class networks.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.