EFFORTS TO BRIDGE THE GAP
The Cloud Security Alliance (CSA), a nonprofit coalition of industry practitioners, corporations, associations and other key stakeholders, is working to assuage fears about cloud computing. The group has launched a number of best practice initiatives and developed frameworks that aim to increase visibility into cloud provider security controls and overall improve industry confidence in cloud security.
A survey of more than 250 cloud users, providers and consultants conducted by the CSA and the certifications body ISACA found that cloud-based services have room to improve on the security and governance front. Nearly all the survey respondents indicated that they thought cloud computing was far from reaching maturity. Only SaaS was the furthest along, with infrastructure and platform services still considered in the infancy stages. SaaS scored the highest adoption rate in the study, with 62.3 percent, followed by IaaS with 35.7 percent and PaaS with 22.6 percent.
The survey found that companies want to reduce the data center footprint in the organization and gain business benefits while reducing costs, but they are also seeking assurances that the services will be reliable, available and secure, said Jim Reavis, executive director of the CSA.
To that end, the CSA last year launched a security certification program for cloud service providers. The Open Certification Framework ensures a cloud provider implements security controls in line with the CSA's guidance by getting certified via ISO 27001. A cloud provider's certification, combined with a listing in the CSA's Security Trust and Assurance Registry (STAR) program, a public repository of providers' security controls, can give companies evaluating cloud providers much more assurance and documentation about the provider's security posture, Reavis said.
"There's always a question of the absolute baseline of what a provider should do vs. a la carte security services to meet a higher assurance need," Reavis said. "If you're providing highly available consumer-oriented service, you are going to want to make it economical, so we as an industry are going to have to get educated enough to ensure that even just the baseline will have a fair amount of security in it as well."
Reavis said market pressure has helped the STAR registry grow past 20 providers since it was launched early last year. To obtain a listing, cloud providers must answer a set of assessment questions based on the ISO 27001 standard and ultimately agree to have that data freely available in the registry. Most of the cloud firms signing on to the registry program say customers are asking them to open up, he said. It's that kind of movement -- customers asking for security and transparency -- that will force cloud providers to institute changes.
"You can feel the market pressure happening," Reavis said. "Organizations are getting regular queries from potential customers wondering why they're not there [in STAR], so I think we'll see more cloud providers and some niche ones as well [added to the registry]."
Cloud adoption has been slow but steadily growing, Reavis said. "I'm seeing a lot of enterprises that have six-figure bills with Infrastructure-as-a-Service cloud providers," he said. "When you trace it back, it's common that it starts as a pilot or small group within the organization needing additional flexibility and it grows from there."
Service providers are beginning to find ways to differentiate themselves with tailored services for their clients in the form of security, maintenance and reliability. Small projects eventually help executives and IT teams establish trust with the provider, according to Reavis.
NEXT: Cloud Providers Step Up