Long ago, I was in the middle of rolling out Windows NT 3.51 worldwide for Texas Instruments, and a Dilbert cartoon spoke to me in just the right way. (See that Dilbert comic here.) The humor of the cartoon (management’s ability to decree that a hugely complicated project can be completed by some arbitrary date) really hit home. Of course, this cartoon is still relevant today. One of the challenges IT pros have to face in this disruptive time of cloud computing is determining a logical and organized way to get started when management tells you they want to “move to the cloud” (whatever that means) in six minutes.
Fortunately there's an organization designed specifically to rescue you: the Cloud Security Alliance. The CSA is “a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.” At the RSA Conference 2013, I was able to talk with John Howie, the CSA's chief operating officer (and longtime contributor to Windows IT Pro), and get his take on cloud security.
Sean Deuby: How did the CSA get started?
John Howie: Four or five years ago, a group of professional colleagues, including current Executive Director Jim Reavis, realized there was a lack of information about how to move to the cloud while maintaining data security and privacy. This lack of knowledge was inhibiting cloud computing adoption. The CSA was formally announced at the RSA conference as a community where security-minded professionals could get together and share knowledge. The membership quickly exploded, though, because a centralized, vendor-agnostic clearing house was badly needed. Every cloud service provider (CSP) had its own set of documentation, but it was all in different places on the CSP’s own websites and stored in different formats. The CSA worked with the CSPs to take their best practices and put them in a guidelines document for all to use.
Deuby: What areas does the CSA cover?
Howie: Beginning with the original “Security Guidance for Critical Areas of Focus in Cloud Computing” document (now in its third version), the scope of the CSA's documents grows as new areas (e.g., mobile computing) grow to a critical mass of interest. Another example is security as a service(SecaaS)—a huge project for the CSA—and how security has evolved in a hybrid computing environment. We’ve also opened a Legal Information Center, where IT pros can ask general legal questions about cloud computing (e.g., data restrictions in European countries) and get clear, jargon-free answers.
Deuby: What new initiatives do you have going on?
Howie: It's not commonly known that major CSPs don't currently provide anything more than the very highest-level availability reports for their services. The CSA is working on building protocols and a framework to eventually allow cloud service consumers to continuously monitor major CSPs at a daily, weekly, or monthly level. We also have the Security, Trust, and Reliability (STAR) initiative, which is a place where CSPs can upload their security documentation into the CSA's framework. This initiative allows a potential customer to easily compare vendors on an apples-to-apples basis.
Deuby: How does the IT pro start using the CSA?
Howie: Download and read the Security Guidance document. It really is the launching point into everything we do. It covers several areas, and with this document you can gain a high-level understanding of the critical areas of focus for cloud computing. The next step is to read our document “The Notorious Nine: Cloud Computing Top Threats in 2013.” This is a good way to look at a generic set of concerns when you're considering moving to the cloud.
Deuby: Are there any other resources that IT pros should be looking at in this area?
Howie: Microsoft has released the Microsoft Cloud Readiness Tool, which is a questionnaire-based system that measures the maturity of an organization and its readiness for cloud computing. When you use the tool, it provides you with a results scorecard and guidance about areas you need to focus on. The questions in the questionnaire are mapped back to CSA guidance, and the tool is endorsed by CSA. The results work for any CSP, not just Microsoft.
How to Get Involved
Anyone who's considering going to the cloud should read the previously mentioned CSA security guidance, as well as the top threats list. Then, go use the Microsoft Cloud Readiness Tool to assess your organization's readiness. The CSA is a growing organization, and one you should look into. All the intellectual property is free for personal use, commercial use, or commercial re-use. You can also join the CSA on LinkedIn to join the many discussions. Individual membership is free; the alliance is funded by its impressive list of almost 150 corporate members. Howie states the CSA mission very simply: "Our only goal is to advance the state of cloud computing security." Overworked IT pros sorely need practical education on the right way to be stepping into cloud computing, and the CSA is the first step they should take.
Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.
