Computerworld - SAN FRANCISCO -- There's a definite buzz of concern about cloud computing security as companies try to figure out when, how and whether they're going to use public (as opposed to private or internal) cloud services. Companies want to know that cloud service providers will protect their information, and service-level agreements and SaS 70 audits may not offer them enough reassurance.
Not surprisingly, companies want to reduce risks and offset loss of control. And how best to do that was a hot topic at this week's RSA Security Conference, as companies try to figure out how to bridge the gap between their reluctance to relinquish control over information security and the limited visibility cloud providers allow into their security architecture.
Perhaps the main issue is transparency, as providers can offer strong assurances -- but not the kind of accountability -- an enterprise can demand.
There was heated debate in one RSA session, as Eran Feigenbaum, director of security for Google Apps, said that cloud computing was being held to a standard that didn't exist inside the enterprise, what he called "euphoric security states." The panelists, including Feigenbaum, pushed for a standards-based approach to security that would meet the rigors posed by corporate governance and regulatory requirements.
Absent such standards, Feigenbaum noted that Google received SaS 70 certification and shares the audit results on its security controls with customers. Google is also now seeking certification to comply with the Federal Information Security Management Act (FISMA).
"The problem I have with SaS 70," said Michelle Dennedy, Oracle vice president, "is that unless we make it like the 27000 series or publish the parameters of FISMA, the third party attestation for one is an apple, the third-party attestation for another provider is a cumquat." She urged greater transparency, suggesting that "while cloud providers can't reveal their entire security architecture, they can use vectors of the ISO 27002 standard to reveal as much as they can."
Jim Reavis, co-founder and director of the Cloud Security Alliance, which has has issued a security guidance document (download PDF) for best practices, said the issue of transparency undercuts the question of whether information is any more or less secure in the public cloud than within the enterprise.
"The issue is that since we can't prove [that the cloud is less secure] -- and don't have the compliance regimen we need to have done -- we will require more transparency from cloud providers," Reavis said.
Security pros are feeling the crunch. Even as companies push the potential cost savings in the cloud, IT departments worry about their ability to effectively mitigate risk or gain sufficient transparency into a cloud provider's security.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
