Cloud security stokes concerns at RSA

Businesses are adopting public cloud services despite numerous risks

The risk comes not only from potential data loss, but also from running afoul of regulations, he said. For example, regulations may call for encrypting data in storage, but how can customers know whether providers encrypt it or not? Regulations vary from country to country, so how can a provider show that data restricted to a particular geographic location by European Union rules is staying where it's supposed to be within its multinational cloud?

Businesses should attempt to find out for themselves whether contracted services are being provided, perhaps aided by third-party certification that clouds meet established standards.

In a private briefing during RSA, HP said the issue of certification may not be as difficult as it seems. Jim Alsop, vice president of service delivery operations for EDS, which is owned by HP, said the company is considering whether to certify cloud provider networks as secure.

Control Objectives for Information and Related Technologies (COBIT), a standard used by many corporations to meet security requirements of the Sarbanes-Oxley Act, could fit the bill, Alsop said.

A modified version of the Statement on Auditing Standard 70 (SAS 70) might also be useful, he said. SAS70 is a set of rules sets down by accountants for auditing how transactions are processed within a service organization. Adapted to the specifics of the cloud, it could be used as the basis for a standard. ISO 27001, an international data security management standard, has many of the components needed for a cloud security standard.

Reliance on cloud computing services is becoming more tempting because if the dramatic savings it can produce, but that requires checking out the inner workings of the cloud, said Renee Guttman, privacy officer for Time-Warner, who spoke at RSA. Just as the cloud service itself lifts tasks from her staff, she wants to hire someone to help with those security checks.

"I want to be able to outsource some of my due diligence on a model that allows me continuous monitoring of the vendor," she said. Such third-party verification not only makes better use of her resources, it could arguably perform such assessments better than her limited staff could. In fact, that would be a requirement.

"You're darned-tootin' they better be better at it than I am," she said.

Tags cloud computingrsa security

Show Comments