Cloud providers that fortify their data centers to meet customers' security and compliance needs practically write their own ticket to market leadership. But that's easier said than done for many operators and managed service providers (MSPs), thanks to the lack of official cloud standards
Security is one of the three most important criteria enterprises consider when selecting a cloud provider, according to a 2011 Current Analysis survey of North American enterprises about cloud adoption, and enterprise cloud security concerns remain a big enough barrier to adoption to keep many deployments on ice. Customers aren't yet fully confident that cloud services guarantee secure access, prevent distributed denial of service (DDoS) attacks and protect the privacy and integrity of information processed and stored in the cloud.
Without a broadly accepted set of cloud security standards ... providers continue to grapple with the question of how to reassure customers that their tools and practices will minimize risk.
The good news for cloud providers and MSPs is that the case for the cloud is too compelling to keep most enterprises on the sidelines for long, but cost-conscious organizations are increasingly looking to providers to embed tighter security controls into cloud services. Unfortunately, however, there is a high degree of complexity associated with protecting data and other resources in such a fluid environment, often requiring a skill set many service providers simply don't possess. And without a broadly accepted set of cloud standards on what comprises effective cloud security and how to best implement these measures, providers continue to grapple with the question of how to reassure customers that their tools and practices will minimize risk and ensure data integrity.
Cloud standards in development
Although there are still no universally accepted cloud standards for what constitutes effective security, a number of industry groups and standards bodies are working on specifications. Efforts such as the Cloud Controls Matrix (CCM), a vendor-backed project of the Cloud Security Alliance (CSA), aim to develop guidelines that providers can use to validate that they are implementing cloud security best practices. The CCM -- which is building off common security standards like ISO/IEC 27001 and 27002, ISACA and COBIT -- outlines a cloud security framework for providers across 13 areas, including cloud identity and access management, data center security and application security.
To encourage greater transparency about providers' individual approaches to cloud security, the CSA launched the Security Trust and Assurance Registry (STAR) in late 2011 to provide a public database in which providers document their compliance with the CCM's guidelines. Customers may access this registry to get insight into whether cloud providers they are considering have implemented sufficient security measures.
As promising as STAR is on paper, there are issues that could limit its impact on cloud standards for security. STAR is not an independently verified cloud certification program, but rather a self-reported directory of responses to the CSA's Consensus Assessments Initiative Questionnaire, which documents a provider's compliance with the CCM guidelines. The guidelines rely on public scrutiny to validate compliance, and like any formal standard, the success of the CCM will be measured by how widely it is implemented. Today, the CCM is still a very young "cloud standard," with only a handful of providers currently documenting their CCM compliance.
PCI and FedRAMP: A foundation for cloud standards?
As the economic and operational benefits of cloud services grow more attractive to enterprises, cloud providers and MSPs simply can't afford to wait around for emerging cloud standards to gain credibility. Instead, they need to prove their cloud data centers are protected and demonstrate their cloud services are secure today. For many cloud providers, this means applying industry-specific security and compliance requirements to the cloud.
For example, cloud providers that handle confidential financial data should underscore their compliance with the Payment Card Industry Data Security Standard (PCI DSS) specification as proof of the integrity and security of their operations. PCI DSS does outline requirements related to cloud-specific aspects of security, stipulating that providers must segregate cardholder data and control access in addition to providing the means for logging, audit trails and forensic investigations. But the highly dynamic nature of most cloud-based applications -- which often lack built-in auditing, encryption and key management controls -- makes it expensive and impractical to apply the PCI standard to most cloud applications.
Providers and enterprises seeking answers on cloud standards for security have found guidance from an unlikely source: the U.S. government. Though not usually perceived as a leading-edge technology adopter, the public sector has been engaged in aggressive security standards development efforts to support its Cloud First initiative, which requires federal agencies to select a cloud service for new deployments when a stable, secure and cost-effective offer is available.
The Federal CIO Council laid out 150 cloud security controls for its Federal Risk Assessment Program (FedRAMP), which provides a baseline for common security requirements that agencies can use to verify that a prospective cloud provider supplies adequate cloud application security. Compliance will be validated by third-party assessment organizations.
Using cloud-specific security requirements created by the National Institute of Standards and Technology (NIST), FedRAMP offers agencies a common set of cloud standards they can use to sanction a cloud provider. If the particular agency has additional security requirements, then the provider can build on its baseline controls to address these needs.
Cloud providers may want to consider the FedRAMP framework as a template for cloud data center security strategy, as it may also supply providers with the validation they need to instill confidence in private sector clients.
Like virtually every other effort related to cloud standards, FedRAMP has its fair share of critics. But with aggressive backing from the CIO Council and the White House, the cloud standard is poised for widespread government adoption. If federal agencies accept the cloud standard in practice, FedRAMP could be the foundation for a cloud standard around security, which providers could in turn apply in private sector deployments as well. The blessing of the federal government -- by the far the single biggest enterprise in the United States -- is a strong vote for FedRAMP's credibility.
About the author: Amy Larsen DeCarlo is a principal analyst at Current Analysis, where her research focuses on assessing managed and cloud-based data center and security services.
This was first published in January 2012