Two user groups launched cloud-security best-practices campaigns at RSA Conference 2009 and formed an informal alliance to influence the development of security products in accordance with their recommendations.
The Cloud Security Alliance (CSA) and the Jericho Forum released their agendas of threats to cloud services that need to be addressed, with CSA's detailed "Security Guidance for Critical Areas of Focus in Cloud Computing" filling up 83 pages that detail 15 areas of security concern.
At the same time, the Europe-based group Jericho Forum served up an outline of threats it perceives. A much smaller group, Jericho Forum acknowledged that CSA had thrown more people at the problem and come up with a more complete document.
But the groups are in agreement on what needs to be done. Chris Hoff, a security consultant who wrote the architecture section of the CSA paper, shuttled from his group's launch over to the Jericho Forum event, listened and supported it. "Your concepts make sense," he said.
The groups, which tout members that include large corporations such as DuPont, Eli Lily, eBay and ING, need to use their influence as major customers to demand products that address cloud threats, Hoff said. "It's the large end-user organizations that will drive it," he said of the cloud-security best-practices push.
Issues addressed by both groups are wide ranging and include recommendations that planning what to do if the contract with the provider is terminated and understanding where data is located and how they are controlled.
Businesses need to scrutinize what security providers actually supply, says Adrian Seccombe, a member of the Jericho Forum Board of Management. "There's not too much security and identity management and access management in the cloud yet," Seccombe says.
"Cloud computing ought to be called swamp computing and we don't even know what the alligators are yet."
Despite the efforts to identify security vulnerabilities in cloud services, he is concerned that criminals capturing fragments of information -- what he calls bread crumbs - about corporate cloud activity could deduce what proprietary activities businesses are up to. These bread crumbs, while not valuable in themselves, can create a trail criminals can follow to valuable information, he says.
Hoff says the work of the two groups will be ongoing because as clouds and cloud defenses develop, threats will adapt and new vulnerabilities will arise. "It's not an end state. It's going to change again," he says.
Rich Mogul, a security consultant who spoke at the Jericho Forum event, says the group should exploit the fact that its members are major corporations. "You should use the buying power of the Jericho Forum to influence the industry," he says.
CSA has broken the concerns into two broad categories: cloud governance and operating in the cloud.
Governance includes subtopics governance and enterprise risk management; legal; compliance and audit; information lifecycle management; and portability and interoperability.
Operating in the cloud includes traditional security, business continuity and disaster recovery; data center operations; incident response, notification and remediation; application security; encryption and key management; identity and access management; storage; and virtualization.
The plan is to study these areas more and recommend standards, the group says, and it is seeking public help www.cloudsecurityalliance.org . It plans regional public meetings to discuss the effort.
"The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers," the report says.