Jim Reavis is the Executive Director of the Cloud Security Alliance. In this interview he talks about cloud security challenges, cloud computing adoption in the enterprise as well as the recently announced Certificate of Cloud Security Knowledge.

Once a new and very hot topic, cloud computing has definitely found its place in the modern enterprise. Based on your experience, has wide adoption brought good security practices and awareness or just created more issues?

While virtually every enterprise has adopted cloud computing to some degree, the CIOs within these enterprises will tell you that they are still in a "learning curve" about the advantages and disadvantages of cloud computing today, even though most agree it will be the dominant form of computing in the future.

There are definitely cases where organizations have found applications of the cloud that improve security and resilience. For example, some organizations have discovered the cloud to be a low cost option for data center hot sites, which have allowed for more comprehensive disaster recovery capabilities. Also, using certain cloud applications have simplified segregation of duties that have been difficult to implement internally. However, for the most part there is still a great deal of concern about assuring that cloud providers have implemented appropriate security controls given the very fast move to the cloud.


Cloud computing faces security challenges such as data segregation, compliance or privileged user access. What advice would you give to those that want to make sure the data they store in the cloud is really secure?

The advice will vary depending upon the type of cloud service. CSA likes to remind customers that they have the implementation responsibility for Infrastructure as a Service (IaaS). With IaaS, it is realistic and recommended to implement AES encryption of your data, with a separation of key management from the cloud provider. It is also recommended to implement a federated identity management strategy, so that an organization can leverage its own granular user directory with its cloud service to enable true, granular, role-based access.

With Software as a Service (SaaS), the customer does not have the ability to implement these types of controls and must have trust in their cloud provider, but they should do their best to get contractual commitments for the presence of these controls. In all cases, the customer should try to either implement or request extensive logging to measure their data security controls.