The Virtualization Practice

Tag Archive for CSA

CloudComputing

I have written about the Public Cloud Reality and the need to bring your own security, monitoring, support. This was reinforced by Dave Asprey of Trend Micro at the last Cloud Security Alliance Summit held at this years RSA Conference. The gist of Dave Asprey’s talk was that YOU are responsible for the security of your data, not the cloud service provider.

CloudComputing

There has been a dearth of intelligence reporting on cloud services and up until now we had to rely upon the Verizon Breach Report, Alert Logic’s State of the Cloud report, the Enisa and other reports, but even so there was nothing specifically about a given cloud service outside the lightly used Cloud Security Alliances STAR self-certification. Instead you must imply something about a given service. This has changed. Meeting this need is Sky High Networks.

csa_logo_190_60

The 5/17 Virtualization Security Podcast was an open forum on the Cloud Security Alliance initiatives, specifically the Security, Trust, & Assurance Registry (STAR). Which is “a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.” The CSA has grown from a grass roots organization to a major player and producer or guidance for security and compliance for clouds.

On the 6/2 Virtualization Security Podcast, Rich Mogull, an analyst for Securosis, joined us to discuss his work with the Cloud Security Alliance (CSA) to develop the two day course called the Certificate of Cloud Security Knowledge (CCSK). While this course is not about learning all the intricacies of cloud security it is about providing a level set of knowledge required to even begin to talk about cloud security.

There has been great debate of what comprises the cloud, how to bound the cloud so that its easier to understand, and how to secure the cloud. Christofer Hoff of the Rational Survivabilty blog has been spear-heading quite a bit of discussion on cloud taxonomy in his attempts to wrap some thoughts around how to properly secure the cloud and everything within it. The start of this journey is the act of defining exactly what the cloud is, and is not. NIST’s document adds some more to an existing definition by defining public and private clouds.

Last month Verizon expanded its Computing as a Service (CaaS) cloud computing offering. The expansion itself is not surprising. The interesting tidbit is that Verizon has Carrier Status and therefore different laws apply to them than any other cloud provider that does not have this status, such as Amazon EC2, Terramark, etc. Will cloud computing providers be the next internet service provider? If so will they have to battle to not be responsible for the content within their clouds, as did internet service providers with the battle that ensued over the Communications Decency Act?