Cloud security stokes concerns at RSA

Two words -- cloud security -- dominated discussion and drove the action this week at RSA Conference 2009.

Throughout the event, attendees -- who seemed to number fewer than in recent years -- were warned of a broad spectrum of potential danger areas from cloud computing services, including data loss and integrity, compliance, liability, reliability, authentication and information life-cycle management.

"It is a security nightmare, and it can't be handled in traditional ways," said Cisco CEO John Chambers in his keynote address. "You'll have no idea what's in the corporate data center."

Cloud security clearly lags, experts said, advising that until it catches up, businesses need to understand the dangers, weigh them against the corporate benefits and exercise aggressive risk management.

But there are promises of help from vendors whose RSA announcements were tailored to address some of the cited cloud shortcomings. Cisco, for instance, announced a cloud-based security service that pulls threat data from around the Internet and pushes it to users.

This is similar to an approach touted at the show by Trend Micro ahead of a formal announcement coming next month. Its OfficeScan client-server suite relies on servers in Trend's network to check the reputations of files, Web content and e-mail rather than relying on desktop protection, which may not be up-to-date.

Similarly, McAfee's CEO Dave DeWalt during his keynote address announced his company's road map toward predictive security, cloud-based sharing of threat intelligence among different categories of security devices to find and block malicious activity sooner than traditional methods.

Network services provider Savvis launched a Web application firewall service based on a choice of Imperva WAF appliances or virtual instances of its software that reside between the Internet and its network. Savvis said it thinks customers comfortable with its software-as-a-service offerings will also embrace cloud-based security.

Arthur Coviello, president of conference sponsor RSA, said that his company's cooperation with Cisco and Microsoft will result in common language to enable the sharing of intelligence about data-loss threats in the cloud as well as within corporate networks.

Page Break

Nevertheless, defensive measures lag far behind the known vulnerabilities of public cloud computing services, according to customer-driven groups trying to deal with the problems.

During RSA, two major cloud-security groups -- one primarily based in the United States and one European -- informally joined forces to pressure vendors to do more.

The Cloud Security Alliance (CSA) used the show as a platform to launch its efforts to standardize security for cloud computing with the release of its "Security Guidance for Critical Areas of Focus in Cloud Computing", an 83-page document detailing 15 areas of security concern.

Later that same day, the Europe-based group Jericho Forum served up an outline of threats it perceives.

Chris Hoff, a security consultant who wrote the architecture section of the CSA paper, shuttled from that group's launch over to the Jericho Forum event to support its effort, which he says overlaps very closely with that of CSA. "Your concepts make sense," he said.

The groups, which tout members that include large corporations such as Eli Lily, eBay and ING, need to use their influence as major customers to demand products that address cloud threats, Hoff said. "It's the large end-user organizations that will drive it," he said of the cloud-security standardization push.

There are plenty of standards needed, at least judging from the 15 cloud-security conference sessions dedicated to discussing them, but that isn't slowing the adoption of public cloud services, according to experts at RSA.

In fact, widespread adoption of cloud computing services is unstoppably underway, according to a Deloitte-Ponemon Institute survey released at RSA. Nearly 45% of respondents already buy cloud computing services and 22% say they are considering them, according to the survey. "Outsourced cloud is here," said Rena Mears, partner and leader with Deloitte's security and privacy services, who spoke during a conference session.

The downside is most businesses don't have a plan for checking to see if their cloud service provides the security it promises, she said, leaving the customer with uncertain security but stuck with any liability should private customer data be compromised.

Businesses are signing up for cloud services without scrutinizing the contract terms written by providers, said Randy Sabett, a privacy attorney with the firm Sonnenschein Nath & Rosenthal. "There is a shift in how businesses are striking a balance," he said. "What do we weigh more, cost savings or legal liability? They are deemphasizing the risk."

Page Break

The risk comes not only from potential data loss, but also from running afoul of regulations, he said. For example, regulations may call for encrypting data in storage, but how can customers know whether providers encrypt it or not? Regulations vary from country to country, so how can a provider show that data restricted to a particular geographic location by European Union rules is staying where it's supposed to be within its multinational cloud?

Businesses should attempt to find out for themselves whether contracted services are being provided, perhaps aided by third-party certification that clouds meet established standards.

In a private briefing during RSA, HP said the issue of certification may not be as difficult as it seems. Jim Alsop, vice president of service delivery operations for EDS, which is owned by HP, said the company is considering whether to certify cloud provider networks as secure.

Control Objectives for Information and Related Technologies (COBIT), a standard used by many corporations to meet security requirements of the Sarbanes-Oxley Act, could fit the bill, Alsop said.

A modified version of the Statement on Auditing Standard 70 (SAS 70) might also be useful, he said. SAS70 is a set of rules sets down by accountants for auditing how transactions are processed within a service organization. Adapted to the specifics of the cloud, it could be used as the basis for a standard. ISO 27001, an international data security management standard, has many of the components needed for a cloud security standard.

Reliance on cloud computing services is becoming more tempting because if the dramatic savings it can produce, but that requires checking out the inner workings of the cloud, said Renee Guttman, privacy officer for Time-Warner, who spoke at RSA. Just as the cloud service itself lifts tasks from her staff, she wants to hire someone to help with those security checks.

"I want to be able to outsource some of my due diligence on a model that allows me continuous monitoring of the vendor," she said. Such third-party verification not only makes better use of her resources, it could arguably perform such assessments better than her limited staff could. In fact, that would be a requirement.

"You're darned-tootin' they better be better at it than I am," she said.