Self-regulation preferred for cloud

Dr Michael Snowden, CEO, OneNet Limited and a director of the New Zealand chapter of the Cloud Security Alliance

The Cloud Security Alliance (CSA) is a global not-for-profit organization with a mission to promote the use of best practices for providing security assurance within the cloud computing industry.

The CSA organization is led by a broad coalition of cloud computing industry practitioners, corporations and security associations. There are 64 country-specific chapters and over 35,000 individual members.

An active New Zealand chapter exists, conducting research and educational seminars. Virtually all international IT vendors, several leading cloud service providers and government agencies, as well as many multinationals are organizational members. There are also more than 290 individual members.

The New Zealand chapter of the Cloud Security Alliance is engaged in several collaborative research projects. For example, the challenge of creating technical specifications for an auditable cloud, in accordance with international standards, is being addressed by representatives from the University of Waikato, the University of Auckland, Unitec and CSA.

The New Zealand and Italian chapters of CSA have jointly produced a report on how cloud-based privacy, security and data protection should be treated with BYOD.
In New Zealand, a research project is currently in progress to develop cloud-data life cycle management policy guidelines. This is a collaborative effort between leading cloud service providers and major cloud-user organizations.

The global CSA organization acts as a coordinator for a range of specialty interest global working groups, including cloud vulnerabilities, legal matters, incident management and forensics, cloud security innovation, mobile device issues, big data, privacy, data governance and security-as-a-service. CSA invites any cloud-user organization, cloud service provider or interested individuals to join and contribute to these working groups.

A useful CSA publication is the periodic report on the most important cloud computing threats. The most recent report lists the top threats as data breaches, data loss, account hijacking, insecure API’s, denial of service, malicious insiders, abuse and nefarious use, insufficient due diligence and shared technology issues. This particular group provides context for the various best practice CSA guides to help firms develop informed cloud security strategies.

A significant CSA innovation initiative has been the establishment of the CSA Security Trust and Assurance Registry (STAR). In place since late 2011, the CSA STAR encourages transparency and assurance in the cloud. Cloud service providers disclose their security processes, standards and capabilities according to a structured set of questions.

The questions were gleaned from a wide range of well established computer security standards, such as ISO 2700/12, with specific relevance to cloud computing. The questions are extensive and are intended to help provide a common framework for potential users of cloud computing services to conduct due diligence.

There are two principal ways in which service providers disclose their self-assessment security information, namely, Consensus Assessment Initiative (CAIQ) Questionnaire and Cloud Control Matrix (CCM). The CAIQ alternative is structured in a yes/no answer format while the CCM version is in the nature of a free-form text response to questions.

The CSA STAR registry is a publically accessible and searchable resource. Virtually all the major global cloud service providers are present. From a cloud service provider’s point of view, the registry offers an opportunity for them to make security capabilities a market differentiator.

While the security information provided is self-assessed, it was considered by CSA that in the early stages of the evolution of cloud computing, voluntary self-regulation of cloud providers is preferable to heavy-handed government regulation.

While CSA does not guarantee the accuracy of any provider’s information, public scrutiny of the information will help to willow out inaccuracies. A special listening post at star-abuse@cloudsecurityalliance.org helps to maintain discipline.

The New Zealand CloudCode initiative, sponsored and managed by the Institute of IT Professionals (IITP), has been hailed globally as a significant innovation. The CloudCode offers cloud service vendor signatories an option to disclose their security controls through the CSA STAR registry. Accordingly, potential users of New Zealand cloud computing services are able to view, in a consistent format, the security capabilities offered by alternative cloud service providers to facilitate their due diligence processes.

The Cloud Security Alliance is also very active in supporting education and certification of cloud security professionals. For example, CSA created the first cloud-specific security qualification, known as the Certificate of Cloud Security Knowledge, or CCSK. This qualification provides individuals with a solid foundation in cloud security issues and best practices.

The Cloud Security Alliance, (https://cloudsecurityalliance.org/) continues to contribute very significant security management value for both service providers and users in the exploding cloud computing market.

Download PDF, as featured in NBR, November 15, 2013

Have some questions? Please let us know how we can help.