The Cloud Security Alliance has announced a new membership level and working group aimed at the expanding cloud...
security needs of small- and medium-sized businesses.
The cloud provider's attitude is, 'This is our service. Like it or go elsewhere.'
chief operating officer, Cloud Security Alliance
The objective of the working group, announced this week at the InfoSecurity Europe conference, is to create a small- and medium-sized business (SMB) version of the CSA's Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0, its standard for baseline security in enterprise cloud computing implementations.
Though the organization believes its current guidance provides much of the information SMBs need, John Howie, chief operating officer of the Cloud Security Alliance (CSA), stressed the need for guidance that is more easily understandable for SMBs that may be less tech-savvy.
Beyond the ability to negotiate prices and terms, Howie said SMBs tend to have unique security concerns when moving operations to cloud environments. While enterprises often have the staff to manage regulatory requirements, for example, SMBs tend to lack an understanding of their compliance demands. Howie pointed to the European Union's Data Protection Directive as a particularly complex regulation that governs how businesses should handle personal data.
"They start putting data into the cloud, and depending on where that data is or what that data is, they might be in violation of several laws," Howie said. "And on top of that, if something goes wrong, if data is lost or breached, they might not understand their obligation under the law to do breach notification."
Regulatory compliance is hardly the only area of cloud security where SMBs lack the knowledge of a dedicated staff, though. Howie mentioned that SMBs are often confused by, as an example, the role they must play in securing virtual machines in an Infrastructure as a Service environment.
"A lot of people assume that when you go to the cloud, the cloud providers take that work off your hands," Howie said. "The reality is, they will in some situations but not in others. And so there's just this general lack of understanding about what the cloud is and cloud technology, and what their responsibility is as a customer of the cloud."
Historically, Howie said SMBs tend to have less-sophisticated IT security compared to enterprises. The cloud, according to Howie, may serve as a stark contrast to those simplistic setups, and the CSA hopes to serve as an educational resource for SMBs on looming cloud security issues.
"When they go into the cloud, there's now all these bewildering arrays of options in front of them around terms of security and they might not understand that," Howie said. "So it really is about educating the [SMBs] about what cloud computing is, what their responsibility is and also helping them understand their obligations and where the pitfalls are."
Separately, the CSA announced that SMBs from around the globe will now have the opportunity to apply for membership, with members largely working through local chapters.
Howie said that the organization had received many inquiries from SMBs recently regarding a lack of representation. The CSA's current membership ranks currently consist of two halves: one half comprises cloud service providers, while the other half is made up of cloud consumers, mostly large enterprises.
The current CSA membership structure fails to benefit SMBs or address their unique concerns, Howie said, with a chief issue being the lack of a relationship between cloud providers and SMB cloud consumers. When large enterprises meet with providers, they are often issued account managers to handle their needs and are able to negotiate custom prices, terms and service-level agreements (SLAs).
SMBs, on the other hand, are often forced to accept fixed terms and SLAs crafted entirely by the providers, in despite of SMBs accounting for the bulk of cloud consumers today, Howie said.
"The cloud provider's attitude is, 'This is our service. Like it or go elsewhere,'" Howie said.
The CSA's new working group aims, in part, to serve as an intermediary between underrepresented SMBs and cloud service providers.
"The goal of the small- and [medium-sized] level of membership is to pool them together and discuss with them and explore with them the unique challenges and problems that [SMBs]have in going to the cloud," Howie said, "and then communicate that to the cloud providers and our membership."