Attacks to spur cloud security standards

Cloud providers can expect more attacks on their infrastructure as adoption grows, Cloud Security Alliance head notes, adding such incidents will kickstart debates on standards and data privacy.
Written by Tyler Thia, Contributor on

SINGAPORE--With more companies moving data and applications from internal IT systems to third-party cloud-based services, there will be "more serious" attacks on these vendors' infrastructure, a security expert predicted. That said, he reckons these attacks will kickstart necessary discussions on cloud standards among stakeholders.

Jim Reavis, executive director of Cloud Security Alliance (CSA), said that hackers may be tempted to start attacking cloud providers' backend infrastructures and platform-as-a-service (PaaS) systems, as more enterprises outsource the storage of their data and applications.

"I think we're going to see incidents that are significant, but it's also going to become more interesting as the incidents may kickstart debates on who's going to be responsible for the breach," said the executive. Reavis was in Singapore recently to attend an ISO cloud security standards meeting, and to launch the Singapore chapter of CSA.

He said such cloud security standards meetings, which are attended by government officials and private sector representatives, are important as these aim to "build the framework that articulates what a provider and customer can control", and eventually institute the framework within ISO standards.

Given that companies are going full steam in cloud adoption, Reavis identified security standards as a top issue that needs to be ironed out. In particular, the concentration of risks as more data and assets are put in a single infrastructure due to virtualization and cloud computing needs to be recognized, he said.

"Take virtualization for example. We know of possible hypervisor attacks that can cause VM (virtual machine) hopping and, in turn, the potential breach of multiple customers," he explained.

Reavis stressed the importance of constant dialogue with governments and country regulators, as stakeholders can then learn how to mitigate cyberattacks, whether on their systems or their vendors', as well as to deal with the consequences of natural disasters.

Solving data privacy conundrum
Beyond instituting security standards, Reavis would also like to deepen the level of data location privacy regulations available today. This is because the world currently lacks "good harmony of data privacy legislation", he noted.

Currently, different regions have varying viewpoints on how to secure sensitive data, Reavis said. For instance, he said that a company based in the European Union would not be able to store its data in data centers sited out of the region.

There are "safe harbors" to help skirt the issue though, Reavis acknowledged. One method is to use "format preserving encryption, which allows encryption of information inside a software-as-a-service application (SaaS) without compromising the integrity of the data regardless of where it is housed, he explained.

However, these methods are "very limiting", he added.

To him, discussions to provide a more permanent solution can "move more quickly" when laws are being reinterpreted according to its intent, and the CSA aims to speed up the process via more interaction with national regulators.

"We can educate [lawmakers and government officials] on how cloud works and explain how the spirit of the law can still be preserved through the use of technology," he elaborated.

If successful, Reavis pointed out that not only companies in highly-regulated industries stand to gain, but cloud service providers would benefit too as this would widen its potential customer base.

"Economics dictate that cloud providers be able to service outside of their countries. You could be a regional or global provider, but if you're limited by a jurisdictional requirement then you're not going to be successful," he said.

The next 18 months would be vital in seeing the cloud industry mature as more companies see their cloud projects come into fruition, the CSA executive surmised. In fact, he has seen significant projects "move very quickly" over the past three months.

"Organizations have sort of gotten beyond if they are going to use cloud, but are now asking how to do it," Reavis noted. "There's still a big debate on how much of my enterprise’s data is going onto the private and public cloud, but at least they're certain about hybrid."

The CSA executive shared that it's such developments that inspire confidence within him that the industry would become "fairly coordinated" in terms of establishing cloud standards in the next year-and-a-half.

Editorial standards