Cloud Security Alliance releases updated guidance

New version provides more actionable advice for ensuring cloud computing security

The Cloud Security Alliance (CSA) on Thursday released the second version of its guidance for secure adoption of cloud computing services.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The nonprofit alliance formally launched in April with the goal of promoting best practices for cloud computing security. The group released the first version of its guidance at the 2009 RSA Conference.

The new version, Guidance for Critical Areas of Focus in Cloud Computing – Version 2.1, provides more specifics in several areas and more actionable advice, said Jim Reavis, Cloud Security Alliance co-founder and executive director. The evolution will eventually get to the point where the industry can have audits and certification of cloud providers, he said.

Cloud security:
Cloud computing data security starts with internal strategy, experts say: EMC's Eric Baize says companies should consider security early and establish trust with the cloud provider. But many factors hinge on an enterprise's specific security strategy.

How to justify information security spending on cloud computing: In part 1 of this chapter excerpt from The Shortcut Guide to Prioritizing Security Spending, author Dan Sullivan reviews the data security and compliance measures that must be established. 

"I'm not saying we're going to necessarily stand up and do all of that for the industry, but we're starting to provide some things that can move us in that direction," he said. "That's what's holding up large enterprises from using cloud computing for anything too important -- they don't have the whole compliance regime around it. That whole ecosystem hasn't been developed yet."

The CSA's guidance, which dozens of contributors helped develop, outlines key issues and provides advice across 13 domains, including incident response, encryption and key management, identity and access management, and legal and electronic discovery. It's designed to help organizations understand what questions to ask cloud providers, current recommended practices, and pitfalls to avoid.

Several organizations have been using the first version of the guidance to develop their long-term cloud strategy, Reavis said. The new version "gives them a little more meat to negotiate with cloud vendors," he said.

In its first year, the CSA expanded its membership and now counts 23 corporate members, including heavyweights Microsoft, Cisco Systems Inc. and Hewlett-Packard Co.

SearchSecurity radio:

Reavis said the alliance has succeeded in getting the word out about cloud security issues and in prompting the information security industry "to be proactive about something new," which isn't necessarily common practice in the industry.

CSA also has succeeded in building a global footprint that it plans to leverage further next year, he said: "What we're finding is there's so many private clouds; so many governments and industries around the world are going off in their own direction. We can be helpful counters to that and try to get everyone on the same page."

Next year, the alliance plans to release research on cloud security threats, and tools for mapping its guidance to controls frameworks and standards, such as the PCI Data Security Standard and ISO 27001, he said. It also is planning several education events.

Dig deeper on Evaluating Cloud Computing Providers

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close