Good News for Cloud Security

Some good news on the issue of security in the cloud.

First, CA, Inc., has just joined the Cloud Security Alliance as a corporate member to help establish and promote best practices for security in cloud computing. The CSA is a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.

In a release from the company, CA said it will work “with enterprise customers and cloud service providers to securely adopt and deliver cloud services.” The company offers several products to maintain security for customers, including a menu of identity and access management technologies.

CA’s long-standing involvement in developing security computing features should be a great asset to the CSA, and I congratulate the company on its involvement in CSA.

On another front, there’s a study that I found that shows that small- and medium-sized companies can increase their security by using cloud services, despite some risks. The study exploring the security risks of cloud computing comes from the Fraunhofer Institute for Secure Information Technology (SIT). It not only gives an overview of prices and functions offered by major cloud providers, but it also lays out in detail the risk assessments for various use cases.

The study asks such questions as:

  • What happens when a cloud service fails?
  • Who guarantees that company secrets are secure on the external servers used in cloud computing?
  • Which security risks evolve when a cloud service subcontractor accesses the cloud systems?
  • Is a company’s data truly destroyed after deletion?

“Almost every large cloud service provider had an incident in the past in the areas of availability or security,” says Werner Streitberger, one of the study’s authors. “The current offerings in cloud services show that, especially in the area of infrastructure, a number of security technologies have been applied already.” But Streitberger says that “cloud providers have not yet advanced the support of security technologies as much in the areas of architecture, management and compliance.”

Small and mid-sized companies are at an advantage here because “they can obtain security solutions as a service from a specialized provider and, thus, benefit from the provider’s experience in the implementation and running of secure services,” says Streitberger.

Indeed, companies can protect themselves with advanced solutions running 24/7 from anywhere in the world that monitor their data safety, the performance of cloud providers, even customers’ experiences on their websites.

The study also recommends that companies, especially large firms, look over SLAs microscopically – to ensure that the rights and duties between the cloud provider and user are clearly spelled out. “The current customary agreements only provide minimal warranty for the quality of service for the cloud. Security guarantees exist rudimentarily and the functions necessary for the guarantees are insufficiently documented by the cloud provider,” says the study.