TORONTO -- Global efforts to secure cloud computing, from addressing jurisdictional issues to myriad compliance and data discovery problems, are slowly being addressed, but consumers must insist on improvements from cloud providers if any significant progress is to be made, according to the chief of the organization working to solve the complex issues.
Ask more detailed questions about the policies and practices; let's think virtually, and how to create those IT systems and data centers that are virtual.
executive director, Cloud Security Alliance
A whole host of cloud security issues needs to be addressed, said Jim Reavis, executive director of the Cloud Security Alliance, during a keynote presentation at the 2012 SecTor security conference. Jurisdictional issues, standards and identity management issues have yet to be completely solved, but organizations and government bodies such as the European Union are making slow improvements, he said.
"We have to have this mindset that consumers have a right to know there is a level of disclosure that does not introduce a security threat. You have to ask for it, you have to demand it," Reavis said. "That's how we are going to get a more secure cloud."
Individual companies don't hold enough power to influence change; instead, organizations collectively could wield more power to demand change, Reavis said. Industry groups can work together to find solutions to cloud security issues and insist they be implemented, he said.
"Ask more detailed questions about the policies and practices; let's think virtually, and how to create those IT systems and data centers that are virtual," Reavis said. "Let's demand transparency from our governments, our providers and our own organizations."
Advances in identity management will be a critical component in creating more secure cloud-based services, Reavis said. He described a future in which the Web single sign-on gives way to a federated identity model where individuals establish a long-held identity that is granted authorization to access certain systems. Passwords are eventually going to give way to other authentication methods, he said.
"We may need to work toward more holistic IDs that have different authorizations and different purposes," Reavis said.
Reavis said certain jurisdictional rules, such as the USA Patriot Act, are being misconstrued by some organizations and inhibiting cloud adoption. The governance issues are causing some firms not to work with a U.S. service provider. But almost every country has a streamlined procedure for a warrantless search for information, he added.
"I can say that is hindering business, but we have to come to some common understanding," Reavis said. "Let's gain a little bit of perspective on this and understand that these types of laws exist in many different countries."
Reavis urged enterprises migrating systems to cloud environments to begin with a strategy, taking a systematic approach to choosing a provider, meeting goals and understanding risks. Understand the cloud models and the risks and responsibilities inherent in each of them, he said.
"You don't throw away our risk management processes," he said.
Reavis also urged attendees to visit the CSA STAR Registry, a database that provides voluntary information about cloud provider environments and risks.
"We're not going to have one-size-fits-all security practices," Reavis said. "If you want high assurance in the cloud you can do it, but you're going to pay more than Joe citizen."