Courion Corporation

Cloud Security Alliance – Helping Secure the Nebulous Cloud

It's no mystery that cloud computing is the current hot topic in the industry.  Whether it's the next major "paradigm shift" (I shudder at the mere use of the term) or it's merely enjoying its 15 minutes of fame, it clearly has industry buzz.  Cloud computing security is riding this wave as well, with much discussion, focus, and vendor marketing aimed at the subject at the most recent RSA Security Conference in California last week.

In good timing, the Cloud Security Alliance recently published its initial report, "Security Guidance for Critical Areas of Focus in Cloud Computing".  I agree with the alliance's belief that cloud computing represents an important trend that has the potential for major change in business with its increased adoption.  I think the alliance is spot on that the basic tenants of security:  good governance, managing risks, and common sense, do not change.  But, it's paramount that security professionals get ahead of the curve to address the security issues as the business adopt cloud computing.

The mission of the Cloud Security Alliance is to provide best practices to secure cloud computing.  Its initial report makes great strides by outlining areas of concern and guidance for organizations adopting cloud computing.  Key areas identified include governance, audit and compliance, and Identity and Access Management (IAM).

While we are encouraged to see IAM addressed in this initial report, the primary focus is on the need for a robust federated identity management architecture, its insistence on standards such as SAML, WS-Federation, and Liberty ID-FF. and authentication.  The governance and audit sections also highlight important best practices.  While we wholeheartedly agree that these are important tenants, it's also important to address other key areas of IAM focused on identity administration and audit and instilling a strong Access Assurance framework.

The complexities of ensuring that the right users have the right access to the right resources and are doing the right things with them are increased with cloud computing.  Just as the alliance states, strong security practices do not change with cloud computing.  This applies to access assurances issues as well.  But, managing them can be more complex, time consuming, and open to error and oversight.  Access Assurance best practices are a critical component to managing this increasingly important computing (dare I say it) paradigm.