Twenty years ago I drafted a document that was intended to reduce the effort required in information security management. Two decades later it has produced the opposite effect. That document was the first draft of what is now ISO 27002. Inspired by Donn Parker’s ‘baseline control’ concept, it was one of the first, professionally compiled collections of established information security controls. And it was the first de jure standard developed and agreed by real business security managers rather than standards enthusiasts.
The standard aimed to remove 90% of the effort in risk assessment by documenting commonly applied controls. Unfortunately it was hijacked by a consultancy community who subsequently reintroduced the need for mandatory risk assessment. It was also intended to be sufficiently broad and deep to minimise the need for any further standards. Yet two decades on, it has inspired a family of dozens of near identical standards and guidelines.
The lesson from this experience is that we should be careful about what we wish for. A successful standard tends to evolve into a licence to print money for consultants, publishers and auditors. The more successful it becomes, the more likely it is to be mandated by regulators and to be policed by an army of trainee auditors.
Worse still, any attempt to replace a variety of competing standards by a single new standard is likely to only add further to the chaos. If there are already too many standards, then the sensible course is to leave well alone, or at least just focus on the bits that are missing.
The Cloud security community has clearly not learned this lesson. It has just released an important new document Security Guidance for Critical Areas of Focus in Cloud Computing V 3.0. This is a good document, setting out just about everything you need to know about Cloud security. But it will undoubtedly generate a new industry for consultants, auditors, support tools and interpretation guides.
Now don’t get me wrong. I like this document. It is a well written guideline and an essential reference document on Cloud security. With a little more introductory text and a few examples it would make a fine book. But that is not its purpose. Its intended role is to serve as a basis for future standards and compliance. The authors see themselves as a “Cloud security standards incubator”. So be afraid. It is the portent of more that is coming your way.
If you are a vendor or purchaser of Cloud services this standard will add to your burden. At 176 pages you will have to spend a fair bit of your valuable time just to read and absorb it. If you a busy manager (and who isn’t) you will probably need to hire consultants to assess the implications. And unless you are a patient whizz at cutting and pasting long checklists and creating questionnaires, you will need to invest in a specialist tool to manage your response. You will need to carry out a detailed gap analysis to determine your compliance status. As the document points out: “The path to secure cloud computing is surely a long one”.
Of course you might already have ISO 27001 certification but that is not enough, because there are numerous variations in the structure, wording and demands of the new guideline. As I said, it sets out just about everything you need to know about Cloud security. But just about is not enough. You also need to read it in conjunction with lots of other referenced documents.
The bad news for the security community is that Cloud computing is a trigger for generating dozens of new versions of ISO 27001. To paraphrase Eric Morecambe, we will find all the right words but not necessary in the right order. The Cloud Security Alliance document has advice on everything from risk assessment to business continuity, all the standard stuff we already know about but re-drafted in a new, though not necessarily improved style.
It could have been different. What we could really use is a guideline that says “Cloud security is just the same as regular security except for these half dozen or so major differences”. That would make everyone’s life much easier. And the focus would be on the new things we need.
And in truth, there are many new countermeasures included that you won’t find in standards such as ISO 27001. That’s mainly because of the vintage of the edition rather than the subject area. But some key issues are missing, such as how to go about due diligence for services in BRIC countries, how to enhance personnel security to address the more severe insider threat, and how to go about planning for a major catastrophe, such as a large scale data breach, rather a simple business interruption.
Unfortunately, the insight and creativity needed to produce a perfectly formed document is unlikely to be found in a committee of professionals from 120 enterprises that collectively volunteer to develop a 176 page standard. Its production is a marvel in itself. Full marks should go to Paul Simmonds for his sterling work in pulling this ambitious document together. The real challenge however will be to turn this impressive body of knowledge into something of practical use to busy security managers.