Agencies Push For Cloud Security Standard

Already, Novell has teamed up with the Cloud Security Alliance (CSA) to give a secure seal of approval to cloud solutions; McAfee this week unveiled its cloud security assessment program, dubbed the McAfee Cloud Secure program; and CompTIA offers a security best practices program in its CompTIA Security Trustmark, which can be applied to cloud computing.

And now, the Cloud Security Alliance, a not-for-profit organization that promotes best practices and security assurances in cloud computing, is working with the MashSSL Alliance, an organization that evangelizes the use of a next generation SSL standard for cloud computing, in a bid to lock down clouds and add new levels of visibility and control, while also pushing for standardization around cloud security.

The CSA-MashSSL pairing aims to accelerate the adoption of secure cloud computing and alleviate end-user fears of security in the cloud, which can ultimately help solution providers get clients on board with cloud computing.

"Our goal is now to make concrete the basic building blocks needed for secure cloud computing, and we wish to do so using proven, open standards that already have broad industry support,' said CSA Chair Jim Reavis. "MashSSL is clearly one such building block which has wide support among industry leaders and will be an integral part of the emerging architecture for secure clouds."

MashSSL repurposes the widely used SSL standard to solve new security issues introduced by emerging technologies like virtualization, cloud computing and mashups. According to MashSSL, the standard is a fundamental building block to new computing environments, much like it was to the development of ecommerce. Originally developed as a proprietary technology by SafeMashups Inc., MashSSL has since been released as an open standard under the Open Web Foundation agreements and is now overseen by the MashSSL Alliance and the W3C MashSSL XG where it is going through the steps of being standardized.

"A perceived lack of visibility, control and the ability to prove compliance remain the most significant objections to enterprises who would otherwise more rapidly embrace cloud services," Ravi Ganesan, CEO of SafeMashups, a MashSSL Alliance and CSA member, said in a statement. "We need to quickly coalesce around the standards being developed by the CSA, the MashSSL Alliance, and other related efforts ... and act expeditiously to introduce trust into the cloud eco-system."

Essentially, MashSSL allows Web applications to mutually authenticate and establish a secure channel without having to trust the user or the browser. It is a Layer 7 security protocol running within HTTP in a RESTful fashion. MashSSL uses what's called a "friend in the middle" configuration to turn the SSL protocol into a multi-party protocol that inherits SSL's security, efficiency and mature trust infrastructure.

Formed in November 2009, MashSSL is looking to create an open specification that can be implemented without intellectual property concerns and a standard that ensures interoperability among different implementations.

"As the CSA now moves into identifying the concrete building blocks for the new protocols that are emerging to build a secure cloud platform, we welcome their joining the MashSSL Alliance, as MashSSL certainly supplies one of the key missing ingredients," said Siddharth Bajaj, Principal Innovation Group, VeriSign, who also serves as the Chair of the MashSSL Alliance and the W3C MashSSL XG, in a statement.