Increasingly, computing is shifting from desktops and data centers to “the cloud”—the Internet-based use of widely shared computer resources. But along with the resulting efficiency, economy, and wider availability of information come new concerns about security. IEEE and the nonprofit Cloud Security Alliance have been working since February to identify problem areas and develop best practices and standards to help address them.
The first step was to survey the concerns of IT professionals involved in cloud-related projects—CSA members, other organizations dealing with security, the IEEE Computer Society, and corporate members of the IEEE Standards Association. Industry stakeholders discussed results in March at the RSA conference in San Francisco and SecureCloud 2010 in Barcelona, Spain.
Among survey respondents, 93 percent said the need for cloud computing security standards was important, while 82 percent called it urgent. Nearly 45 percent were already involved in developing cloud computing standards, and 81 percent declared themselves somewhat or very likely to participate in such development during the next 12 months. Standards development was most urgent in the areas of data privacy, security, and encryption, respondents said.
“The No. 1 reason people want accelerated standards development,” says Jim Reavis, CSA cofounder and executive director, “is their desire for regulatory compliance. People want to show they’re compliant, which is hard to do if you cannot point to some standard for due diligence.” Despite existing standards from the International Standards Organization, the U.S. government, and the European Union, “there is a real feeling that the lack of additional, relevant standards is inhibiting adoption of the cloud,” Reavis says.
“The Cloud Security Alliance (as the world’s leading organization focused on cloud security) and IEEE (as a global leader in standards development) are the obvious partners to establish cloud security standards,” says Judy Gorman, managing director of the IEEE Standards Association (IEEE-SA).
Nevertheless, says James Wendorf, IEEE-SA’s Industry Connections Program manager, the initial fruit of the CSA-IEEE relationship is likely not to be a formal standard but assessment tools, known as the Cloud Security Shared Assessments, and a list of best practices that could provide guidance to providers and users of cloud computing services. “These are less rigorously and broadly reviewed than formal standards, but they can provide starting points for the later development of more formal standards,” he says.
The Industry Connections Program is a flexible framework for building industry consensus and producing such varied outputs as industry white papers, proposals for standards, and shared databases. The program also includes the Industry Connections Security Group (ICSG), which has developed, for example, a malware metadata exchange format, an XML schema for exchanging information. Now ICSG, which includes McAfee, Symantec, Microsoft, and other industry leaders, is working on so-called software packers, which malware makers sometimes use to hide their viruses inside software distribution packages.
Starting with assessment tools and best-practices lists rather than formal standards might allay concerns of those survey respondents (84 percent) who said that some areas of cloud computing may not yet be ready for standardization, as well as the 28 percent who said they feared standards would hinder innovation.
“IEEE already has a number of security-related standards,” Wendorf notes, “and cloud security often requires you to generalize from those or refine and adapt them to the cloud. We have standards on secure storage (IEEE Std. 1619), some that deal with portable hard drives and USB flash drives—removable storage (IEEE Std. 1667)—and IEEE Std. 2600, which covers the security aspects of printers and copiers, as well as IEEE Std. 1363 dealing with encryption. All these could be expanded into cloud computing.”
The link between IEEE-SA and the CSA is currently informal. “Cloud computing security is a rapidly moving topic,” Reavis says. ”The extent of our collaboration thus far has involved listening to a variety of stakeholders through a couple of industry events and our joint survey. We are now planning the work for developing cloud security shared assessments, but we haven’t determined a road map for future collaboration.”
“At the moment,” Wendorf adds, “there’s no formal memorandum of understanding, just an agreement to work together in these areas—which allows us to move forward and get results quickly.”
The CSA also has partnered with other organizations including the European Network and Information Security Agency, which sponsored the Barcelona conference, and the U.S. National Institute of Standards and Technology. Meanwhile, the cloud keeps growing (more than half of survey respondents said they plan to increase their application of cloud services in the next 12 months), putting ever more at risk as security concerns grow. Best practices and standards will help reduce the danger and lower the level of concern, officials say.
“By working with CSA,” Wendorf says, “we’ll identify areas that can benefit from standardization. Organizations such as government agencies and small businesses want well-established, supported, and broadly agreed industry standards, and that's what IEEE can provide.”