The Cloud Security Alliance (CSA) on Thursday released the second version of its guidance for secure adoption of cloud computing services.
The nonprofit alliance formally launched in April with the goal of promoting best practices for cloud computing security. The group released the first version of its guidance at the 2009 RSA Conference.
The new version, Guidance for Critical Areas of Focus in Cloud Computing – Version 2.1, provides more specifics in several areas and more actionable advice, said Jim Reavis, Cloud Security Alliance co-founder and executive director. The evolution will eventually get to the point where the industry can have audits and certification of cloud providers, he said.
"I'm not saying we're going to necessarily stand up and do all of that for the industry, but we're starting to provide some things that can move us in that direction," he said. "That's what's holding up large enterprises from using cloud computing for anything too important -- they don't have the whole compliance regime around it. That whole ecosystem hasn't been developed yet."
The CSA's guidance, which dozens of contributors helped develop, outlines key issues and provides advice across 13 domains, including incident response, encryption and key management, identity and access management, and legal and electronic discovery. It's designed to help organizations understand what questions to ask cloud providers, current recommended practices, and pitfalls to avoid.
Several organizations have been using the first version of the guidance to develop their long-term cloud strategy, Reavis said. The new version "gives them a little more meat to negotiate with cloud vendors," he said.
In its first year, the CSA expanded its membership and now counts 23 corporate members, including heavyweights Microsoft, Cisco Systems Inc. and Hewlett-Packard Co.
Reavis said the alliance has succeeded in getting the word out about cloud security issues and in prompting the information security industry "to be proactive about something new," which isn't necessarily common practice in the industry.
CSA also has succeeded in building a global footprint that it plans to leverage further next year, he said: "What we're finding is there's so many private clouds; so many governments and industries around the world are going off in their own direction. We can be helpful counters to that and try to get everyone on the same page."
Next year, the alliance plans to release research on cloud security threats, and tools for mapping its guidance to controls frameworks and standards, such as the PCI Data Security Standard and ISO 27001, he said. It also is planning several education events.