I have written about the Public Cloud Reality and the need to bring your own security, monitoring, support. This was reinforced by Dave Asprey of Trend Micro at the last Cloud Security Alliance Summit held at this years RSA Conference. The gist of Dave Asprey’s talk was that YOU are responsible for the security of your data, not the cloud service provider.
There has been a dearth of intelligence reporting on cloud services and up until now we had to rely upon the Verizon Breach Report, Alert Logic’s State of the Cloud report, the Enisa and other reports, but even so there was nothing specifically about a given cloud service outside the lightly used Cloud Security Alliances STAR self-certification. Instead you must imply something about a given service. This has changed. Meeting this need is Sky High Networks.
The 5/17 Virtualization Security Podcast was an open forum on the Cloud Security Alliance initiatives, specifically the Security, Trust, & Assurance Registry (STAR). Which is “a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.” The CSA has grown from a grass roots organization to a major player and producer or guidance for security and compliance for clouds.
On the 6/2 Virtualization Security Podcast, Rich Mogull, an analyst for Securosis, joined us to discuss his work with the Cloud Security Alliance (CSA) to develop the two day course called the Certificate of Cloud Security Knowledge (CCSK). While this course is not about learning all the intricacies of cloud security it is about providing a level set of knowledge required to even begin to talk about cloud security.
The future of Virtualization and Cloud Security is being worked on today and there are several projects worth watching. Early guidance from these projects will aid your current virtualization and cloud security policies, procedures, plans, and architectures. (A6, DMTF, CSA, PCI, FDIC, etc.)
There has been great debate of what comprises the cloud, how to bound the cloud so that its easier to understand, and how to secure the cloud. Christofer Hoff of the Rational Survivabilty blog has been spear-heading quite a bit of discussion on cloud taxonomy in his attempts to wrap some thoughts around how to properly secure the cloud and everything within it. The start of this journey is the act of defining exactly what the cloud is, and is not. NIST’s document adds some more to an existing definition by defining public and private clouds.