SAN FRANCISCO - There are many efforts underway to develop cloud computing security standards, but the industry faces a pressing need that may not be met anytime soon: A standard that’s viable across international borders.
During a panel discussion at the Cloud Security Alliance Summit, held Monday here at the RSA Conference 2012, cloud providers and security experts talked about various cloud computing security standards efforts and expressed frustration with the multitude of international data security and privacy requirements.
Marc S. Crandall, senior manager of global compliance at Google, said the various jurisdictional requirements in European countries are difficult to juggle; being compliant with one country’s rules runs the risk of being out of compliance in other countries.
“The issue of cross-border data flow is a huge issue for us,” he said.
Tim Mather, advisory director at KPMG and panel moderator, said the proposed European Union data protection regulation aims to establish a single standard so cloud providers wouldn’t have to deal with multiple regulations.
At the same time, though, he said it would remove the Safe Harbor policy agreement between the EU and the U.S. that regulates how U.S. companies handle personal data of Europeans. The Safe Harbor program has permitted the flow of data from Europe to U.S. for companies that participate.
“The Europeans want nothing to do with the Patriot Act,” Mather said, adding that the proposed EU regulation was a way for them to fight back and give European cloud providers an advantage against U.S.-based cloud providers. While the proposed EU data protection regulation is catching criticism in the U.S., others in the EU don’t think it’s tough enough, he said.
The CSA’s Cloud Controls Matrix project works with the ISO, a global federation of national standards bodies, to drive international standards, but the ISO works very slowly, he added. Meanwhile, FedRAMP will promote cloud security standards for federal agencies and likely local and state government agencies, but it doesn’t address the commercial sector, he said.
Baber Amin, senior director of product management at CA Technologies, said identity federation is a big issue for the company’s customers – they want to be able to use one identity across various services. He agreed with Mather, who noted the technology to implement federation exists, but legal issues surrounding whether data can be moved are the sticking point.
In the face of conflicting European data protection rules, the best thing cloud providers can do is “promote adoption of cross-jurisdictional standards,” Google’s Crandall said.
“We need uniform standards, something we can apply globally,” he added later in the discussion.
View all of our RSA 2012 Conference coverage.