« Previous 1 2 3 Next »
Fathoming the cloud
Silver Linings
Addressing the A in A-I-C
One area almost all security standards address inadequately, if at all, is the first component of the A-I-C triad (availability, integrity, confidentiality). In the PCI DSS version 2.0 standard [4], the word "availability" doesn't even occur in the document; it focuses pretty much entirely on the confidentiality and integrity requirements. Traditional availability hasn't really been addressed by the security side of operations; instead, this is usually left to the server and network admins, at least until an attack takes the site down, in which case the security guys will get involved.
Having given up physical control of assets that hold and process your data, it is critical to ensure the availability of your systems. And by this, I mean going beyond just ensuring that the systems are running; you also need to be sure that you can get your data out of their system in a usable format. It's important to remember that simply having a database dump and all your files will probably not be good enough (e.g., even if your provider is using software that is also available to you, configuration issues could occur). This is an area extensively covered by the CSA in Domain 6 "Portability an Interoperability" [5] of their Security Guidance for Critical Areas of Focus in Cloud Computing.
Security as a Service (SecaaS)
SecaaS is by far the most popular working group of the CSA for the simple reason that this is where most of the money will be. Security as a service has some potentially huge benefits: Large providers can hire expertise that smaller businesses simply cannot afford, run 24/7 operations, and ideally do things cheaper than you can. The accounting people are also excited. Anytime capital expenditures, like buying servers and firewalls, can be traded for operational expenditures, chances are they'll jump at it. The tax benefits are often worth it, and it makes the shareholders happy, assuming you get the same level of service, which is where the problem often lies.
Giving Users a Voice
One problem with standards is that the people with a vested interest (such as vendors) tend to be the most vocal and active because they stand to make a lot of money. The majority of users will typically not make a huge effort to be heard, resulting in standards that are vendor driven and sometimes quite useless. One aspect of the CSA is organizing users and giving them a voice. At last count, the LinkedIn group had almost 18,000 users. Through polls (e.g., the SecaaS Categories of Security Services) and by simply allowing users to raise issues, on hopes the concerns of all will be addressed.
« Previous 1 2 3 Next »