Silver Linings

Chances are you may not yet have heard of the Cloud Security Alliance (CSA) [1], but I'm willing to bet you have heard of the cloud. Like ".com" in 2000, "cloud" is the hot code word du jour. Much like Linux in 2000, "the cloud" is currently approaching the "Peak of Inflated Expectations" rapidly [2]. However, Linux had numerous organizations and companies to help it move from inflated expectations to the "Plateau of Productivity." Although Linux has not yet become a big hit on the desktop, it's doing quite well in the server world – LAMP stack anyone?

To move the cloud from being an over-used buzzword to something that we actually use to get work done, it's going to need some help. The good news is, on the provider and products front, we have more than enough vendors frantically pushing cloud solutions that, once it shakes out, we will be left with some good stuff. But on the security side, what are we going to do? One of the primary benefits of the cloud, and one of its biggest problems, is giving up control – of the hardware, your data, and so on – to a provider.

What Is the CSA?

Ask, "What is cloud computing?" 100 times, and you'll get 100 different answers. Start asking about cloud security, and you'll get a mixture of answers, shrugs, blank looks, and offers to buy "cloud-enabled" security products. One of the biggest challenges is actually to agree on what cloud computing is and the various names for its services and components.

The elements most people agree on appear to be multi-tenancy (i.e., sharing resources with numerous other customers), on-demand self-service (companies love customers using automated systems to lower their overhead), measured services (i.e., pay for what you use), and elasticity (you need one server? 1,000 servers? No problem!). These elements are exemplified by most modern cloud providers. Google, Amazon, and the like will literally carry you as a customer for pennies a month. For example, one month with Amazon, when I didn't use anything other then some storage, cost me just US$ 0.02. Alternatively, these providers will happily let you scale up and use massive amounts of capacity, as witness Netflix living in Amazon's EC2 cloud.

On the security side of things, it gets much messier. At what point is a service, such as email spam filtering, "cloud enabled"? If it runs within a cloud provider like Amazon? If they run their own data centers but provide enough capacity to handle customers from one piece of email a month to one billion pieces of email a month? I'll be honest. I have no idea, and I bet five years from now, I still won't have a solid answer for you.

What the CSA Does

The CSA has a number of projects ongoing, but they all largely boil down to a few key areas: defining the problem and environment of cloud security, education, standards, certification, and research under the auspices of several working groups. Additionally, the CSA is trying to connect people through local chapters and various working groups and research projects. Think of the CSA as a neutral third party, a sort of facilitator, much like Switzerland or a football referee, except instead of trying to referee the rules of the game, they're also trying to help escalate the game.

Certification and Standards

Although still young, the CSA Certificate of Cloud Security Knowledge (CCSK) is meant to establish a baseline of knowledge and competency. Currently it mostly covers terminology and fundamentals, for the simple reason that we don't yet have well-established security practices in the cloud. Although we know what we should probably do, matters are evolving rapidly. The CCSK certification is based on the CSA Security Guidance document [3].

The CSA Security Guidance, in turn, is designed to provide high-level coverage of cloud security issues and some methods to address them, ranging from legal and electronic discovery to application security and virtualization. Much like other standards (e.g., PCI), the Security Guidance doesn't specify explicit methods (e.g., to encrypt data), but it raises issues like secure key storage and deletion.