How the CSA is working to solve Cloud security problems

Ask five different people a question about, say, cloud security, and you'll likely get five different points of view.

The cloud phenomenon is moving and morphing so fast that related disciplines, such as security, are hard to keep up with. Cloud-friendly concepts such as multi-tenancy and federated user authentication are challenging security vendors to come up with new and better counter strokes. But by the time they're ready, the cloud may have generated an entirely new set of security challenges.

Standards may or may not be the answer, since standards have a hard time keeping up with or anticipating fast-moving innovation. Yet there must be a way to standardize something, somewhere, to help bring structure and agreement to key concepts around cloud security.

That's where the non-profit Cloud Security Alliance comes in. Formed in 2009, the group today has 20,000 members and is regularly cited as a leading voice in the move to bring security to cloud computing. As Jerry Archer, a CSA board member and CSO for Sallie Mae explains, the organization doesn't aspire to be a standards body, but instead looks for ways to promote best practices around which users, IT auditors, cloud and security solutions providers can agree.

One outcome is the CSA's GRC stack, a suite of tools to help people assess and instrument clouds according to industry best practices, standards, and critical compliance requirements. Like all of the tools the CSA produces, the stack is free for anyone to download, as is membership in the group (although there is a fee for corporate sponsors).

In our talk with Archer, he explained more about how the CSA works and how we are not only going to solve the security problems in the cloud, but how the cloud will improve security for everyone.

Give us a high-level description of what the CSA does.

You can group what we do into five major areas. One, we're developing strategy, particularly around how you get into the cloud and what things you need to be conscious of. Two is education, to help educate people in cloud security issues. Three, we're building best-practices frameworks around audit and compliance, and we're translating some typical SAS 70 controls and other audit regimes into frameworks for the cloud. Four, we're looking at assessment issues - how to look at the cloud in terms of assessing security. And five, we're looking out to see what the future holds.

How does CSA determine what projects to work on?

The CSA uses rigorous group-sourcing or cloud-sourcing. We now have 20,000 members, and ideas can some from any of them. You can propose an idea to the group. If you get traction, people will begin working with you, and then you can get sanctioned.

In the beginning, we had no funding for research. Today we have funding because we have corporate sponsors and we also have people who fund some of the work. But maintaining objectivity is important to us, so the board checks constantly to make sure that no vendor is over-subscribed, that is, funding too much research in a given area. We don't want to become beholden to any company's agenda.

You've said that the CSA doesn't intend to create so-called hard standards like SAS 70 or PCI. Why is that, and how do you perceive your contribution to the cloud computing industry?

We feel like industry standards should be created by the groups, like ISO and others, that are good at it. We often work with the existing standards organizations to provide counsel and guidance, but we feel we can be more agile if we're not tied to any specific standards. We have formal alliances with both the ISO and the International Telecommunications Union -- the ITU. We actually provide our research and resources to them on an ongoing basis to help with their work. We're also working with NIST, and we're open to creating partnerships with other standards organizations.

Do you see any conflict between the user's right to ask cloud providers detailed questions about their security measures, and the providers' right, in the interest of security, to keep those details secret?

Providers may never want to tell anybody how their firewalls are configured, things like that. On the other hand, there's a huge amount of information that, if it's conveyed correctly, would be extraordinarily useful from a compliance or security viewpoint.

If we separate the facts from the hyperbole, as a consumer of the cloud I could get enough information from you about my sliver -- wherever it's running today and however it's running today -- that wouldn't jeopardize your security at all, but yet provide me with the kind of knowledge I need so I can trust the environment I'm in.

In fact, things will get simpler from the consumer side as applications become instrumented so they can determine if they're in the right environment. DARPA has conducted enormous amounts of research into multi-tenancy environments, and they've looked long and hard at controls in the applications that will allow the app to report back the security of its environment.

How would an instrumented application work?

In a simple example, the app knows where it's supposed to be. It knows what kind of computer it's supposed to be running on, what operating system -- it could actually go out and interrogate those things to build a finger print that would say, OK, I'm in the right environment, patch level is such and such and so on.

It could be performance based, saying I know I'm supposed to be doing these kinds of things. It could test the validity of the code, and if the answer doesn't come out right then you know you've been had.

There are all kinds of things you could do to provide a great deal of knowledge about the environment that the app is running in, and at the end of the day, that's probably where you're going to go.

How far into the future of the cloud does CSA look, and what do you see?

Most of our focus is still building the foundational elements for cloud computing. But thought leaders can help influence the tactical side of building the foundation so it's transferable, so we don't have to tear the foundation apart and rebuild it each time we get through another cycle in the cloud.

In terms of the future, I think anybody who tells you they can see further than two years into the future of the cloud, well, that's naive. Everything is changing, and we can't begin to predict the consequences of all that change. It is as different, if not more different, than going from mainframe to distributed systems - the cloud will change everything about computing.

The question I have is what happens when the cost of a MIP goes to almost zero, and the cost of storage goes to almost zero?

Everyone will go to the cloud, and security will continue to evolve. For instance, fully homomorphic encryption will let me process data without ever decrypting it. The moment I can do fully homomorphic encryption I can put all my data in the cloud, fully encrypted. That sort of takes away the threat model, doesn't it?

The problem is that to run fully homomorphic algorithms takes a lot more processing power than we have today. But it's just a matter of time before Moore's Law creeps up on that one.

So cloud security will be able to keep up with the changes in cloud computing?

Yes, and security will actually improve in the cloud. Companies like Sallie Mae, financial companies and others that go to the cloud are going to demand equal or better security than what they have right now.

That demand on cloud providers will translate to everybody getting the same results. So the little guy who couldn't afford good security on their own will now get good security as a by-product of bigger companies moving into the cloud. We'll have large providers who can deliver security effectively. Security will improve in the cloud, and we'll all have better security in the future.