Cloud Security Alliance

I haven't had a chance to speak with anyone from Novell in a while. Dipto Chakravarty, Novell's General Manager, Cloud Security, and VP WW Engineering, reached out to me and after a rousing game of calendar alignment, we spoke about the Cloud Security Alliance, its goals and how it plans to go about achieving those goals. Novell's products, by the way, have been powerful tools to help organizations achieve the goals of high levels of security and its expertise will certainly help the alliance.

Here's how the Cloud Security Alliance describes its mission

The Cloud Security Alliance is a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

The Cloud Security Alliance is comprised of many subject matter experts from a wide variety disciplines, united in our objectives:

• Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.
• Promote independent research into best practices for cloud computing security.
• Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.
• Create consensus lists of issues and guidance for cloud security assurance.

Working Groups

Here's a list of working groups. It provides a glimpse into the group's analysis of the problem and where it plans to place its attention.

• Group 1: Architecture and Framework
• Group 2: Governance, Risk Management, Compliance, Audit, Physical, BCM (which I suspect means "business continuity management", DR (disaster recovery
• Group 3: Legal and eDiscovery
• Group 4: Portability & Interoperability and Application Security
• Group 5: Identity and Access Management, Encryption and Key Management
• Group 6: Data Center Operations and Incident Response
• Group 7: Information Lifecycle Management & Storage
• Group 8: Virtualization and Technology Compartmentalization

Snapshot analysis

The history of IT is littered with the corpses of dead partnerships and alliances. These alliances are launched with a great deal of fanfare only to quietly disappear into the footnotes of IT history a while later.  The key question is will this alliance follow the same trajectory?

Although large organizations facing regulatory compliance issues are very likely to already be thinking about the issues raised by the cloud security alliance, smaller organizations are much more likely to just build their homes in the cloud without thinking about security at all. Many will find their home in the clouds happy places, some will wish they paid more attention to security and other issues.

Cloud environments offer many exposed interfaces and, thus, many attack surfaces. It is not at all clear that without proper initial planning and conscious implementation whether suppliers of security tools can completely allievate potential problems. There are many variables and a growing number of laws and regulations that could act as potential mine fields in a cloud implementation.

It is far better if security was part of the initial architecture of a workload, regardless of if it is hosted in an organization's own network, out in the cloud somewhere or is build using a hybrid model that combines the two.

It would be lovely if this organization develops a set of processes and recommendations for tools that will eventually guide the industry. If history is a guide, however, this dream may only partially become reality in the distant future if at all.

Since cloud is increasingly seen as a useful approach to delivering IT functions at a lower, more manageable cost, I hope the dream becomes a reality sooner rather than later.