Analysis: CSA helps clear up cloud security questions

Roger A Grimes looks at the Cloud Security Alliance's advice on security

Uncertainty about cloud-service security is among the biggest barriers to adoption in the business world. Verifying a cloud service's security is tough, especially because cloud providers are hesitant to reveal details - and understandably so. Fortunately, a group called the Cloud Security Alliance (CSA) has emerged to help alleviate would-be customers concerns, and it's becoming the de facto standard for cloud security guidance for service providers, users, and auditors. Trust us, we're secure

Cloud providers' hesitancy to share precise details of their offerings' security doesn't instill much confidence in IT security admins, but in many cases, it's not a matter of vendors trying to be devious or hide something. Rather, as they are learning what it means to secure cloud assets and developing standards and controls, they are trying to come up with documentation that satisfies customer requests - without revealing too much information. Observers in favor of cloud vendors revealing every detail of every security control often argue that sharing such data is akin to publishing a cryptographic algorithm for public review: Even if it is disclosed to the world, it should not result in a weakening of the provided protection. But computer defense strategies aren't crypto ciphers, and disclosing too much could help an enemy. There's a reason why the world's navies don't announce to each other where all their submarines will be on a given day. There is value in keeping defensive strategies secret. As I've said before many times, security by obscurity does have value. In order to protect their security secrets while addressing would-be customers' questions, many cloud providers have hired third-party auditors to perform security audits and have then released the results to interested customers. Traditionally, the Statement on Auditing Standards (SAS) 70 Type II is the most common US-based cloud audit standard you'll see. Other cloud auditing standards have been developed, including CloudAudit, CloudTrust, and ISACA's Cloud Computing Management Audit/Assurance Program. A few cloud providers have flashed their military or defense department accreditations. But there hasn't been one global cloud-security auditing standard - until now, through the CSA. Cutting through the haze of cloud security

The Cloud Security Alliance comprises dozens of cloud service providers, including three of the four big IaaS providers: Google, Microsoft, and VMware. (Amazon is missing from the list.) Other members include Cisco, VeriSign, American Institute of CPAs, the biggest accounting firms, and many antimalware companies. The group's mission is to promote the use of best practices for providing security assurance within cloud computing, as well to provide education on the uses of cloud computing to help secure all other forms of computing. The CSA doesn't do cloud auditing itself, but rather provides guidance to its members and readers. Four pillars comprise the CSA's Governance, Risk, and Compliance (GRC) "stack": Cloud Trust Protocol, Cloud Audit, Consensus Assessment Initiative, and Cloud Controls Matrix. The Cloud Trust Protocol is an XML-based standard way of communicating cloud security assertions, evidence of those assertions, and affirmations. According to CSA, the protocol allows "transparency as a service" for privacy, security, and compliance needs. The CSA website has a good summary of the protocol [PDF]. CSA also offers "Security Guidance for Critical Areas of Focus" [PDF] that breaks down cloud security into 13 domains:

  • Governance and enterprise risk management
  • Legal and electronic discovery
  • Information lifecycle management
  • Portability and interoperability
  • Business continuity and disaster recovery
  • Datacentre operations
  • Incident response
  • Application security
  • Encryption and key management
  • Identity and access management
  • Virtualisation

The CSA has done a good job of highlighting all the computer security bases as they apply to cloud offerings. The CSA's Cloud Controls Matrix [XLS] is geared toward cloud service providers and auditors. It lists controls and maps them to popular compliance requirements: COBIT, HIPAA, PCI DSS, and so on. CSA's Consensus Assessments Initiative Questionnaire [XLS] lists well over 100 questions that map back to the controls listed in the Cloud Controls Matrix. These documents are meant to be used together. As with almost any other auditing control document, my only complaint is that the controls and control questions are fairly general in nature. For instance, it asks if data is encrypted at rest, which is a good thing, but it does not provide any clue as to how well this is done, even if the vendor says it is. The best encryption algorithms have been pushed aside by poor deployment practices. Unfortunately, very specific, technical details are rarely covered in any general security control guidelines, but at least you have a great starting baseline to work with. If you're considering a cloud service, find out how it maps to the CSA's controls and other documents. For an example, see Microsoft's Office 365 Standard Response Document. (Microsoft is my full-time employer.) Even if your cloud service provider doesn't currently map or work with the CSA's auditing documents, you can use those documents to assist with making sure you ask the reasonable questions that any cloud user would pose and any cloud provider should be able to answer. The CSA is not a perfect organization, of course. Like any independent, emerging standards body, it's taken a few years to gain consensus and grow its membership. There are still a few notable missing members. I keep waiting for some of the computer auditing-specific societies to join, along with other big SaaS vendors, such as Salesforce.com. Its auditing controls and questionnaire could contain more details for my taste. Still, the group is accomplishing more than any other prior cloud standards body. Grimes is the author of eight books on the subject and hundreds of articles and is a security architect for Microsoft’s InfoSec ACE Team

Join the newsletter!

Error: Please check your email address.

Tags cloud security alliance

Show Comments

Market Place

[]