The 5/17 Virtualization Security Podcast was an open forum on the Cloud Security Alliance initiatives, specifically the Security, Trust, & Assurance Registry (STAR). Which is “a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.” The CSA has grown from a grass roots organization to a major player and producer or guidance for security and compliance for clouds.STAR is one attempt to allow cloud providers to share their security controls on a voluntary basis by the filling out of a questionaire. STAR, unlike CloudAudit which is designed to be programatically queried, provides a much more free form set of data. While both are CSA initiatives, STAR (https://cloudsecurityalliance.org/research/initiatives/star-registry/#star_a) has a documented set of adherents such as Microsoft Azure. Even so Amazon and Google are noticeable by their absence. There are still questions about STAR however, such as:
- Can any cloud security or compliance initiative succeed if the biggest clouds do not participate?
- Will registering within STAR eventually become a service a third party provides to determine the accuracy of the Consensus Assessments Initiative questionnaire?
Self Certification can only go so far, yet it is a good start for determining if cloud providers are following a minimal set of security or compliance guidance.
One of the CSA’s first work efforts, the Cloud Controls Matrix, for example, is the starting point for securing and imposing compliance upon a cloud. It should not be considered the end-point of cloud security or compliance, but a common starting point. However, even more important is the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing is now at version 3, and grows nearly every day.
The Cloud Security Alliance has many efforts in play at this time, some are proscriptive and many tie directly into compliance instead of security which begs the question, is it really possible to fully secure a cloud for secure multi-tenancy instead of relying on Trusted Multi-Tenacy. We know we can be Compliant in a cloud. But can we ensure confidentiality and integrity within the cloud down to the bare metal administrators of the cloud? Or do we still need to trust that these administrators (or a very good electronic copy) will do the ‘right’ thing.
A major component of cloud is automation, and we need to be careful not to over automate, but to also protect such automation carefully.
All in all the Cloud Security Alliance is the place to start when you want to secure your cloud, judge the security of the clouds you wish to use, or look into how compliance is impacted by the cloud. The CSA’s initiatives greatly increase practitioners and users ability to understand the intricacies of cloud compliance and security.
I look forward to more and better work from CSA and you can as well at the 3rd annual CSA Congress (November 7-8th 2012) The CSA Congress “continues to be the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security.” Learn More