SAN FRANCISCO -- The Cloud Security Alliance Wednesday released a document outlining more than a dozen areas it says must be addressed to better secure cloud computing environments.
The 83-page report, "Security Guidance for Critical Areas of Focus in Cloud Computing," outlines 15 areas or domains that need to be addressed, spotlighting two in particular: governance and operations within the cloud.
The report outlines the framework that makes up many cloud computing architectures and then identifies three delivery models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). It also addresses governance and risk management issues encountered by companies and service providers. It recommends that service providers conduct regular third-party risk assessments and make the results available to customers.
Other domains addressed in the report include compliance and audit, recommending service providers adhere to SAS 70 Type II audits and ISO 27001 certifications, as well as a greater uniformity in comprehensive certification scoping. Encryption and key management, storage issues, application security concerns and virtualization security problems are also addressed in detail.
The fledgling organization launched this week at the 2009 RSA Conference to raise awareness about cloud computing security issues. In a presentation Wednesday, Jim Reavis, president of Reavis Consulting Group LLC and co-founder of the non-profit alliance, said the report should offer guidance to organizations implementing virtualization or seeking out a cloud computing provider.
"We selected the domains based on strategic and tactical pain points where virtualization is an important building block for cloud computing and governance domains are more broad and strategic," Reavis said.
During the last several years, companies have raced to implement virtualization or move data to cloud service providers, hoping to cut server management costs. Reavis said the Cloud Security Alliance plans to host events throughout the year to offer expert advice on cloud security issues, as well as provide additional reports outlining best practices for cloud computing implementations.
Dave Cullinane, CISO and vice president of global information security at eBay Inc., serves as one of the organization's advisors. At the RSA presentation, Cullinane said his firm was an early adopter of cloud computing and encountered a lack of information or best practices about securing data in the cloud.
"I thought it was time we start getting in front of this and at least look at it in terms of the security perspective," Cullinane said. "What we tried to do is take all the brilliant minds we had access to and get their ideas together."
Also serving as an advisor to the organization is Jerry Archer, vice president and CISO of Intuit Inc. Archer said Intuit saw that cloud computing was inevitable and currently uses it within its research and development organization.
"Today its experimental, but given the amount of personally identifiable information and transaction data, it's incredibly important to make sure that it's secure," Archer said. "It's important to make sure that you can understand what's going on in the cloud and manage the incidents and all the other issues going on in there."
Reavis said the organization would be all-inclusive and currently has a broad spectrum of members from individuals passionate about cloud security issues to vendors such as Microsoft, PGP Corp., Qualys Inc., Zscaler Inc. and others.
"We are not security people with our heads in the sand wanting this issue to pass by," Reavis said. "This is something that we believe is an inevitable transformation in computing."