Talk cloud computing and wherever you are – be it the boardroom or IT department – the conversation will soon swing around to security. With the cost saving equation being something of a given now that 'cloud' is an accepted part of the business computing lexicon, it can be somewhat surprising to see security remain a stumbling block to successful migration.
Could the reason be that there is an ongoing struggle between cloud vendors and their clients for control over data transfer, infrastructure, and security assurances within an increasingly crowded cloud computing standards landscape?
Gold Standard
It doesn't take a genius to realize that the very nature of cloud computing depends upon technical standards making it possible for services to be accessed and used by many organizations across the planet. There are basic standards that enable this, and what Mike Small, analyst at Kuppinger Cole and also an ISACA Security Advisory Group member, calls a “complex web of emerging standards.”
Small quotes a study by the European Telecommunications Standards Institute (ETSI) that found some 20 bodies concerned with producing standards and over 150 relevant documents. No surprise then, at first glance at least, that the cloud standards landscape certainly does appear to be crowded and confusing. Actually, upon closer inspection, it could be argued to be immature but emerging fast. As with any emerging business technology security backdrop, there is plenty of disagreement between IT security professionals as to whether there is a 'gold standard' that has started to shine as of yet.
Catalin Cosoi, the chief security strategist at security vendor Bitdefender, is firmly in the ‘no’ camp, telling Infosecurity that “despite industry efforts, cloud providers are yet to establish a standard framework to guide the interactions between enterprises and cloud service providers.”
Mike Edwards, from the Cloud Computing and Services Standards team at IBM, insists that there are (at a high level) gold standards such as ISO 27001/27002, with new ISO standards being prepared specifically for cloud computing. “ISO 27018 for protection of PII (loosely termed ‘privacy’) and ISO 27017 for security”, Edwards tells us, “will arrive in 2014 and 2015, respectively, and are likely to see rapid adoption.” Both are adaptations of ISO 27002 to address specific aspects of cloud computing, but they are certainly not alone.
There are other sector-specific standards such as PCI-DSS, HIPAA, and FedRAMP that can be, and indeed are, applied to cloud services. “At a lower level”, Edwards continues, “there are a host of existing security standards that are widely used in cloud computing: things like SAML 2.0, OAuth 2.0, OpenID Connect for Authentication, and encryption as recommended by FIPS 140-2 etc.”
When examining how companies look to embrace an 'elastic' cloud adoption approach when finding a cloud vendor, it becomes apparent that a blending of security controls across all certification environments is fast becoming the norm.
Richard Morrell, who describes himself as the cloud evangelist at Red Hat, has worked with the Cloud Security Alliance (CSA) to push and promote this evolution in cloud security standards. “The CSA version 3.0 of their cloud security matrixes has been built by the CSA community, taking the best standards across every type of business vertical imaginable”, he says.
These matrices, Morrell argues, actually exceed the guidelines available across sovereign states and territories that may or may not have their own devolved security standards or interlaced privacy/data regulations. “This is particularly critical for understanding how a multi-territory or multinational requirement for devolved cloud access or emergence of agile applications is required to be pushed to cloud”, he says.
What this means, according to Morrell, is that if you are an EU or APAC company wanting to host in the US with a provider, or a US company wanting to work with EU companies in cloud or move or migrate data in transit/credentials or workloads, all you actually need is to use the CSA matrices as your starting point. But is the transatlantic standards equation really that simple?
Transatlantic Troubles
Espion’s information governance consultant, Ross Spelman, explains the European position as being shaped by the EU Act on Processing of Personal Data (Directive 95/46/EC) that mandates the safeguard of individuals relating to the processing of sensitive personal data, and on the transfer of this data. “Upholding the Act is under the remit of the individual countries’ data protection agencies”, Spelman says. “Through notifications and authorizations an agency can control sensitive processing of personal data performed by authorities and companies within each jurisdiction and the EU generally.”
Additionally, guidance is available to European governments from numerous external sources: the EU Cloud Computing Strategy, EU Cyber Security Strategy, EU eGovernment Action Plan 2011–2015, and individual sovereign data laws that provide guidance on legal obligations. “The EU is promoting the use of cloud computing strategies in government”, Spelman continues, “but accepts the need for common standards, the absence of which is deterring the adoption of cloud solutions in member states.”
As for the US position, as Mike Small explains, the United States government technology standards body, NIST, has been very active in the production of standards around the cloud. “These have mainly been focused on the definition of the standards that a US federal agency or other government body would require of a cloud service”, he says, “with the most comprehensive standard being SP-800-53 Security and Privacy Controls for Federal Information Systems and Organizations.”
In addition, the Federal Risk and Authorization Management Program or FedRAMP (a US government-wide program) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. “This includes a set of security guidelines, controls and an independent assessment process”, Small continues. “And on top of this, many of the fundamental standards that the cloud relies on for security (such as FIPS 140-2 Security Requirements for Cryptographic Module and FIPS 197 Advanced Encryption Standard) are ultimately defined in NIST or US Government standards.”
As with most standards and regulations – no matter what the specific technology or market sector – they ultimately come together to combine the best from all sides. That's the opinion of Garry Sidaway, global director of Security Strategy at NTT Com Security. He told Infosecurity that “both the EU and the US will work toward accepting regulations that apply to the different regions and not enforce cloud providers to meet different standards depending on the location of the service”. This, he says, is because “standards and government have to understand that cloud has no boundaries and good security is not restricted to a specific country.”
The Snowden Effect
Then there's the Edward Snowden problem. There's no denying that concerns over NSA/GCHQ surveillance have filtered through to the boardroom. But how have these concerns affected the cloud providers’ bottom line and what questions are customers now asking regarding data assurance and access to information as a result?
“Simply put, and from our own survey, security is still the number one barrier to cloud”, Sidaway comments. “And the recent revelations have not significantly changed this as the concerns are the same.” If government, police, legal, or security organizations request access to data, systems, logs, or other customer-specific information, then they should expect a court order, warrant, subpoena or other legal document enforcing access. At present, none of our clients have made a request for such clarification, as this is part of our standard contracts”, he told Infosecurity.
Simon Godfrey, director with the Security Practice at MTI Technology, has noticed a “new and increased level of distrust within the industry”. In particular, those people who thought their information was secure “are now reassessing their approaches, with national government agencies included in their risk profiles.”
Of course, the collective eye-opener of the Snowden leaks comes on the back of high-profile hacks from the Chinese, Israeli, and European governments and Anonymous-type hacker collectives. “This is not just the NSA and GCHQ”, Godfrey reminds us. “The Snowden leaks have also implicated the reluctant, and in some cases, enthusiastic collaboration of large commercial business.”
The leaks have also highlighted the continuous process of legal interpretation and circumvention that the security services adopt. “Legal grey areas will be exploited alongside poorly crafted public policy and oversight”, Godfrey says, all of which means that cloud clients need to consider the infrastructure, operations and ownership that underpin cloud services provision far more closely. This brings us right back to standards and the need for more clarity. Or does it?
The Multiplication Myth
There's no doubt that there are plenty of standards out there when it comes to the security landscape, as we have seen, but that isn't necessarily the same thing as there being too many when it comes to cloud security standards specifically. The very title of this article questions whether it's a crowded standards landscape, and perhaps the answer is that it's actually just a myth of multiplicity? IBM’s Edwards argues just this case, insisting that the EU even applied what was in effect a meme when it used “cutting through the jungle of cloud computing standards” for work it sponsored at the ETSI.
As Edwards points out: “the working group found that there were relatively few standards that applied specifically to cloud computing”. Instead, where there were a group of existing standards for some particular aspect – such as authentication, for example – those multiple standards existed for good reason, and it was fairly clear where each one could be used effectively within the context of cloud service provision. “In other words”, Edwards concludes, with some merit, “it isn't a jungle but more a garden with well-organized arrangements of different plants.”