McAfee steps up cloud assurance

SINGAPORE--McAfee has set its sights on providing greater assurance to end-users of applications and services delivered over the cloud with the launch of a new audit and certification program.

Unveiled Tuesday, the McAfee Cloud Secure initiative is targeted at software-as-a-service (SaaS) and cloud providers, combining third-party certification with the vendor's automated security auditing, remediation and reporting services.

Michael Sentonas, McAfee's Asia-Pacific CTO, said in a pre-launch Singapore briefing that the annual certification will be based on two existing industry standards--ISO 27001/27002 for information security management and Statement on Auditing Standards No. 70 (SAS70). McAfee has so far tied up with auditor KPMG and IT services company CSC to perform the certification exercises, he noted.

Under this program, a SaaS provider that has undergone a third-party audit and passed McAfee's network and service checks will be issued the security vendor's Secure trustmark. Since 2008, over 80,000 Web sites globally carry this logo, said Sentonas.

To be able to earn the trustmark, companies need to subscribe to McAfee's Vulnerability Assessment Service which costs US$101.50 per system. Other McAfee services they can tap under the Cloud Secure program are the Total Protection Service which starts at US$34.98 each for a minimum of two systems, and the E-mail Protection Service at US$25.78 each for a minimum of 11 systems.

Pointing out that the cloud is both "friend and foe", Sentonas said it could present substantial cost savings for businesses, but at the same time there are concerns about data security in the cloud.

While standards such as ISO 27001/27002 and SAS70 are important--to the point that some customers, such as himself, would not use SaaS providers without such certification--they are renewed yearly and may not present an accurate picture of the security health of a cloud vendor.

Terming the new McAfee offering as "a framework that gives service providers the ability to assess their networks and gives customers the assurance that the networks are secure", Sentonas added that the daily security audit and reporting element are important as security is a 24/7 problem.

McAfee Cloud Secure is meant as a long-term initiative which the company hopes will be adapted as an industry standard, he said.

Other industry players have also made recent moves to beef up cloud security. The Cloud Security Alliance and Novell announced on March 1 a certification, education and outreach program targeted at cloud providers.

Following the launch of the program, McAfee will look to grow the number of third-party certification partners, as well as combine the framework's two elements into one in an automated fashion.

According to Sentonas, the feedback from SaaS providers in the Asia-Pacific region has been "extremely positive". They view the McAfee Cloud Secure as "a good business advantage to differentiate in the marketplace", he added.

Citing a Gartner research, Sentonas said 25 percent of new business software in the region will be delivered as a service by 2011.

Outside of Asia, one of McAfee's first Cloud Secure customers is expected to be Amazon Web Services.