Information Technology Cloud: Cloud Security Alliance Working Toward Cloud-Specific Certifications

Cloud Security Alliance Working Toward Cloud-Specific Certifications

The Cloud Security Alliance (CSA) is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include. Certification is likely to be managed by multiple bodies.

[The CSA’s] research identifies the vulnerabilities that threaten to hinder cloud service offerings from reaching their full potential. For example, companies must be aware of “abuse and nefarious use of cloud computing,” which includes exploits such as the Zeus botnet and InfoStealing trojan horses, malicious software that has proven especially effective in compromising sensitive private resources in cloud environments. However, not all of the threats in this category are rooted in malicious intent. As the social Web evolves, more sites are relying on application programming interfaces (APIs), a set of operations that enable interaction between software programs, to present data from disparate sources. Sites that rely on multiple APIs often suffer from the “weakest link security” in which one insecure API can adversely affect a larger set of participants. Together, these threats comprise a combination of existing vulnerabilities that are magnified in severity in cloud environments as well as new, cloud-specific techniques that put data and systems at risk. Additional threats outlined in the research include:

» Malicious Insiders
» Shared Technology Vulnerabilities
» Data Loss/Leakage
» Account/Service and Traffic Hijacking

Source: http://www.hp.com/hpinfo/newsroom/press/2010/100301b.html

The entire cloud model of computing as a utility and its dynamic characteristics makes this a whole new ballgame for certification. Jim Reavis, CSA’s Co-founder and Executive Director, quoted in Dark Reading, says, “[Cloud computing] brings everything into question: where the machines are, what is the nature of data. If data is encrypted on the public cloud providers’ [systems] and the key held by a separate cloud [provider]—is that even data? There’s some rethinking we need to do.”

In the same article, Bret Hartman, chief technology officer at the RSA, states that an enterprise’s own security controls and their cloud security provider’s controls must go hand in hand as well. “It’s complicated with cloud computing because there are multiple parties involved,” Hartman says. “I think it’s time for us to think about what a cloud certification would be ... and there would be different levels of certification required,” Hartman says. “It would be different than SAS 70.”

Source of Information : Implementing and Developing Cloud Computing Applications 2011