SAN FRANCISCO -- Experienced cloud security figures fielded audience questions at an RSA Conference 2013 panel on Wednesday; foremost among them were questions about lacking cloud computing security transparency.
If you don't have data classification … it's like walking through a bad neighborhood at night with a fistful of $100 bills and not expecting to get mugged.
global head of business continuity, security and governance, BT Global Services
Unsurprisingly, plenty of security issues were unresolved, even as Cloud Security Alliance Co-Founder and Executive Director Jim Reavis highlighted the growing shift by enterprises toward cloud services.
In particular, transparency continues to be a major stumbling block for cloud customers, with a large portion of the session dedicated to questions about gaining transparency into and assessing a cloud provider's security controls.
"If you look at it, it's a tremendous loss of control," said Patrick Foxhoven, chief technology officer at San Jose, Calif.-based Zscaler Inc. "There [are] two parts to it: You have to demand transparency for the vendors … and you have to select the right providers that are worthy of your trust, and I wouldn't give that out easily."
Jeffrey Schmidt, global head of business continuity, security and governance at Irving, Texas-based BT Global Services, elaborated on the need to be selective when moving operations into the cloud. He believes cloud customers must demand transparency from providers, and if they are unable to deliver the necessary information, they shouldn't work with that provider.
"One size doesn't fit all," Schmidt said. "If I'm going to move into the cloud, those [metrics] have to exist and they have to be written into the contract with the provider."
Nils Puhlmann, a co-founder of the CSA and former chief security officer of online gaming company Zynga Inc., suggested that cloud customers need to determine how mature the cloud provider is compared to their own security controls.
"Often, the role I played in these conversations was more of the police investigator," Puhlmann said. "Our questions were more of the 'How?' than the 'What?'."
When Reavis asked attendees how many knew of the CSA STAR program, less than half raised their hands. STAR is meant to encourage cloud provider transparency by allowing providers to publicly document their security controls. Reavis indicated that the lack of awareness regarding the program shows just how much more information needs to be delivered to cloud customers.
Beyond transparency, time was also devoted to the CSA's The Notorious Nine report, which focused on the top cloud computing threats in 2013. Of particular concern were the report's top two issues: data breaches and data loss.
For Foxhoven, the issue of cloud data breaches is indicative of the divide between what he described as the two kinds of providers: those doing it right and those that aren't. "The ones that are doing it right are building the technology to do it," he said, "not just leveraging what is already there."
According to Schmidt, the lack of development in the area of data classification over the last 10 years is a key culprit contributing to data loss.
"If you don't have data classification, you don't know where your data is going," Schmidt said. "It's like walking through a bad neighborhood at night with a fistful of $100 bills and not expecting to get mugged."
Users, according to the panelists, are also partly to blame. The ease of use with many cloud services, such as Dropbox, has changed behavior to the point that data itself is no longer as valuable as it should be to users. Puhlmann believes that if cloud providers want "the big bucks from the enterprise" market, they need to establish a different model that takes into account the discrepancy of the user market and the business market.
Also of note was a question by Reavis to the panelists regarding whether auditors need to be trained specifically for handling cloud environments. There seemed to be agreement that such training is needed as regular auditors lack the technical understanding to truly measure cloud deployments.
Puhlmann's ultimate advice indicated the need for enterprises to transform how they think about security and data protection in the cloud.
"Not all the data needs to be protected to the same level," he said, "At some point, you just have to focus on the things that really matter."
View all of our RSA 2013 Conference coverage.