Cloud Security Standards for the rest of us

Couple of weeks ago I presented a session about Cloud Security Standards in the yearly ComputerWorld / KornerStone Cloud Security Forum, and one question kept popping up in the event was – “Why Cloud Computing ?”. That puzzled me a bit as I thought all of us aware of the benefits of Cloud Computing – services on demand, pay as you go, and improve development agility etc. etc. So I answered the question with another question :

“Why Not ?”

Yes, why not ? As you may expect, the typical answers from the floor were “Poor Security !” and “Concerns in Data Privacy !” … Those are concerns, I agree, but those are not facts. Instead I believe the first few things the business users and CTO / CIOs shall consider are some other psychological barriers.

Barriers like loose of control, lack of transparency and lack clarity around responsibilities, liabilities as well as accountability.

 

Those barriers are very real, because once you performed a proper risk assessment of deploying Cloud into your business, and also tackle those barriers, you will find security and data privacy are not major concerns; but more on something the company and the IT team shall handle and tackle professionally.

And what I meant by handling professionally is before jumping to the conclusion that Cloud Computing is not secure, first ask yourself questions like when and where to use Cloud; outline the Service Level Objective you need; review the people skill set, process and change management maturity; and then lastly look for technical solutions.

 

With all that said, one will still question how one can make sure the cloud services (IaaS, PaaS and SaaS) are secure. And that’s I think where Cloud Security Standards can help. It’s not a secret that we have dozens of Cloud Security Standards in the market, and in fact, all of them are important and relevant.

Screen Shot 2014-02-16 at 9.29.22 pm

 

With so many standards and guidelines, it is rather difficult to tell, whether a Cloud Services Provider (CSP) is already conform to certain standard(s), if you are now shopping for CSPs. Or hard to convince the customers that your company is conforming to certain standard(s), if you are one CSP. The only way I think, is thru Certification.

Screen Shot 2014-02-16 at 9.29.33 pm

I believe with proper certification process, regular review and listings of all certified CSPs, customers can easily find the best CSP they want. With the same token, CSPs can easily prove to their potential customers that they are doing a good job.

So Cloud Security Standards may be not easy to define, complicated to comply with; but with certification process, it is easier to make whole things more fruitful to the standardisation bodies, the CSPs and the Cloud Computing customers.

 

Author: Michael Yung

Michael possessed over 30 years of experience in Information Technology with focuses on complex application development, database technologies and IT strategy. He also spent the last 20 years in Internet technology, eCommerce development / operations, web usability, computer security and Public Key Infrastructure technologies.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s