Couple of weeks ago I presented a session about Cloud Security Standards in the yearly ComputerWorld / KornerStone Cloud Security Forum, and one question kept popping up in the event was – “Why Cloud Computing ?”. That puzzled me a bit as I thought all of us aware of the benefits of Cloud Computing – services on demand, pay as you go, and improve development agility etc. etc. So I answered the question with another question :
“Why Not ?”
Yes, why not ? As you may expect, the typical answers from the floor were “Poor Security !” and “Concerns in Data Privacy !” … Those are concerns, I agree, but those are not facts. Instead I believe the first few things the business users and CTO / CIOs shall consider are some other psychological barriers.
Barriers like loose of control, lack of transparency and lack clarity around responsibilities, liabilities as well as accountability.
Those barriers are very real, because once you performed a proper risk assessment of deploying Cloud into your business, and also tackle those barriers, you will find security and data privacy are not major concerns; but more on something the company and the IT team shall handle and tackle professionally.
And what I meant by handling professionally is before jumping to the conclusion that Cloud Computing is not secure, first ask yourself questions like when and where to use Cloud; outline the Service Level Objective you need; review the people skill set, process and change management maturity; and then lastly look for technical solutions.
With all that said, one will still question how one can make sure the cloud services (IaaS, PaaS and SaaS) are secure. And that’s I think where Cloud Security Standards can help. It’s not a secret that we have dozens of Cloud Security Standards in the market, and in fact, all of them are important and relevant.
With so many standards and guidelines, it is rather difficult to tell, whether a Cloud Services Provider (CSP) is already conform to certain standard(s), if you are now shopping for CSPs. Or hard to convince the customers that your company is conforming to certain standard(s), if you are one CSP. The only way I think, is thru Certification.
I believe with proper certification process, regular review and listings of all certified CSPs, customers can easily find the best CSP they want. With the same token, CSPs can easily prove to their potential customers that they are doing a good job.
So Cloud Security Standards may be not easy to define, complicated to comply with; but with certification process, it is easier to make whole things more fruitful to the standardisation bodies, the CSPs and the Cloud Computing customers.