TORONTO. Is the cloud more or less secure than traditional IT infrastructure?
That's a question that Jim Reavis, Co-Founder and Executive Director of the Cloud Security Alliance (CSA), discussed during a keynote session at the SecTor security conference.
"It's not like we think that any outsourced cloud provider is less secure than our own infrastructure," Reavis said. "It's just that we don't have the same transparency."
The CSA is a non-profit organization with some 39,000 members worldwide and a focus on research, certification and building awareness. Reavis noted that it has taken almost 25 years to get a handle on PC security and he doesn't want it to take that long for the cloud.
"The informed consumer is a missing component in making cloud providers more transparent in terms of what they are doing," Reavis said. "That is the only way we'd be able to know and provide assurance that that appropriate service is being delivered."
Reavis argued that there needs to be a mindset that consumers have a right to know what cloud providers are doing. He stressed that it's also something that all cloud users need to ask for.
"We can't do it as individual companies, where we have less and less ability to influence a cloud provider," Reavis said. "So we have to work together."
In an effort to help provide some transparency, the CSA has conducted a number of Cloud Service Provider surveys. According to the most recent data, only 59 percent of cloud vendors were able to locate and search all customer data.
"The survey shows that there is a need for more prescriptive guidance on data discovery best practices," Reavis said.
The issue of the physical location of data is also an issue for some enterprises and industries. The CSA survey found that only 82 percent of cloud providers said they could put data in specific locations. However, only 73 percent said they could technically enforce that geographic placement. So while they can set up data for one geography, that data could potentially wander.
Going a step deeper, only 65 percent of Cloud Service Providers said they do location based backup. While 84 percent of cloud service providers said they could provide end to end encryption.
Perhaps more surprising though were the findings about data remanence. Data remanence is about making sure that when data is deleted, it is really deleted. According to the CSA, only 33 percent of Cloud Service Providers claimed that they delete data according to some identifiable standard.
For Reavis and his organization, the future of the cloud is about real time continuous monitoring for standards compliance.
An initial step toward that goal is the CSA's Security Trust and Assurance Registry (STAR). STAR is a public registry of cloud providers self assessments.
"STAR is the form 10-k of cloud computing," Reavis said.
STAR will also be the foundation for a larger certification framework that CSA is aiming to roll out in 2013/14 for industry specific provider certifications.