The Cloud Security Alliance has released the second version of its cloud computing security guidelines. The document is not a prescription for securing cloud computing assets or applications, but rather guidelines for determining risk exposure and tolerance for enterprises adopting cloud computing services.
The 76-page document is exhaustive review of cloud security considerations ranging from governance and regulatory compliance, risk management, data discovery issues, data portability and system interoperability, and operational issues. The document, which remains a work in progress by the Cloud Security Alliance working group, covers just about all the security considerations an enterprise would need to consider when evaluating cloud computing options.
As the editor of the guidelines advise:
“With so many different cloud deployment options — including the SPI service models (SPI refers to Software as a Service, Platform as a Service, or Infrastructure as a Service, explained in depth in Domain 1); public vs. private deployments, internal vs. external hosting, and various hybrid permutations — no list of security controls can cover all circumstances. As with any security area, organizations should adopt a risk-based approach to moving to the cloud and selecting security options.”
What’s missing from the document is a suggestion for modifying the definition of cloud computing to include security. In a conversation earlier this week with Archie Reed, a distinguished technologist at Hewlett-Packard who is studying cloud computing and security issues, told me that everyone talks about cloud as an means to reducing cost and increasing efficiency. Security, however, remains an afterthought.
“No one says cloud security is part of the scale and elasticity of cloud services,” he said in our conversation. “People are losing confidence, so the question is whether they’re willing to pay extra for these elastic services.”