That cloud computing security fear has prompted two industry bodies -- the Jericho Forum and the Cloud Security...
Alliance -- to generate a formal agreement to work together in helping promote best practices for secure collaboration in the cloud.
The Jericho Forum has worked for the last five years promoting the concept of 'deperimeterisation,' a strategy that uses encryption and dynamic data authentication to protect a company's information on multiple levels, rather than relying on traditional network boundaries. The forum urges vendors to provide systems that will support that model.
As part of its efforts, Jericho also produced its Collaboration-Oriented Architecture – a technical framework that allows companies to work securely together – and more recently, its Cube model, a cloud computing security arrangement that treats the cloud as an integrated whole made up of sub-clouds.
The Cloud Security Alliance (CSA) was formed in the early months of this year, with broad industry support, to tackle some of the immediate security challenges raised by the cloud computing model. It has already produced an 80-page white paper on the subject and is a taking a "tactical and pragmatic" approach to solving problems, according to co-founder Jim Reavis.
Reavis said the CSA was put together very quickly because "a lot of companies were moving faster [into the cloud] than we were comfortable with." The production of the white paper in April was the organisation's first deliverable, and Reavis said the CSA would be concentrating its efforts on specific cloud computing security areas, such as e-discovery, GRC (governance, regulation and compliance) and virtualisation, which he said were of main concern.
He made the point that cloud computing could actually improve security for many organisations by making available specialised staff and good practices that they did not have in-house. But organisations still need to be able to manage their data closely, and that will require new services. "I've used Gmail for years and it's great, and it's never let me down," said Reavis. "But when I delete a message, how do I know it's been wiped. We are going to need new solutions for this new computing model."
On the link-up with Jericho Forum, he said the two organisations had a lot of cross-over, but with different skills. "Jericho Forum has been strong in developing strategy and architectures while we are taking a tactical and pragmatic approach," he said.
That view was endorsed by Paul Simmonds, a founder of Jericho Forum. "The CSA dovetails nicely with Jericho. The CSA is looking at the question of security for cloud computing here and now, whereas Jericho has always been about getting the model right and providing thought leadership," he said. "We are almost screaming in agreement with CSA but using slightly different language. It is best for of us to agree on common principles and use the same words and phrases. That way, the vendors don't get confused."
Simmonds said cloud computing is a natural extension of deperimeterisation, and will open up new ways of working once the security model is properly defined. "Businesses are using the cloud at the moment, but they are de-risking it by only putting in a subset of what they can do given the limitations of the security model," he said.
"The real value comes when you can run a joint-venture operation, and share data in a collaborative environment, using your existing credentials. I need to be able to extend my Active Directory into a cloud model, along with my collaborating organisation, so that we can collaboratively work using our existing corporate credentials without having to set up something unique just for that joint venture. That's where cloud computing really takes off."
One man who is already advising organisations on how best to approach cloud computing security is William Beer, a director of the OneSecurity practice at PriceWaterhouseCoopers (PWC). He said the recession has accelerated the cloud computing trend as companies see the attraction of having a flexible resource they can switch on and off as their needs change.
Beer suggested many of the lessons learned from outsourcing could be applied equally well to cloud computing. "A lot of our tried and tested approaches to security can be applied and tweaked to the cloud," he said. "While it is a new world with many new challenges, certain methodologies and approaches can be reapplied in the cloud and offer some immediate comfort and assurance to our clients."
For example, SAS 70 audits by a third party -- which assess the contracted internal controls of a service organization -- would ensure that cloud-based suppliers were acting in a proper way. "It needs to be revisited, but I am quite confident that a lot of that experience can be leveraged," he said.
Beer also advised organisations to take a phased and gradual approach when switching systems into the cloud, rather than rushing the process.
The early days of outsourcing threw up similar problems, he said, and he advised companies to draw on the lessons learned from those times, such as the need to specify contracts carefully and the right to audit what suppliers are doing.
Companies might also want to specify the physical location of data in any contract, Beer added, in order to comply with data privacy legislation, for example.
It is not a trivial problem. "Many of the companies I talk to are already struggling with international data flows on a private network," he said. "So what's going to happen when we go into the cloud environment? The legal framework of a well laid-out contract can offer some support in terms of where the data is going, and you'll need to be notified if it goes to a different infrastructure from the one that is specified initially."