Once a new and very hot topic, cloud computing has definitely found its place in the modern enterprise. Based on your experience, has wide adoption brought good security practices and awareness or just created more issues?
While virtually every enterprise has adopted cloud computing to some degree, the CIOs within these enterprises will tell you that they are still in a "learning curve" about the advantages and disadvantages of cloud computing today, even though most agree it will be the dominant form of computing in the future.
There are definitely cases where organizations have found applications of the cloud that improve security and resilience. For example, some organizations have discovered the cloud to be a low cost option for data center hot sites, which have allowed for more comprehensive disaster recovery capabilities. Also, using certain cloud applications have simplified segregation of duties that have been difficult to implement internally. However, for the most part there is still a great deal of concern about assuring that cloud providers have implemented appropriate security controls given the very fast move to the cloud.
Cloud computing faces security challenges such as data segregation, compliance or privileged user access. What advice would you give to those that want to make sure the data they store in the cloud is really secure?
The advice will vary depending upon the type of cloud service. CSA likes to remind customers that they have the implementation responsibility for Infrastructure as a Service (IaaS). With IaaS, it is realistic and recommended to implement AES encryption of your data, with a separation of key management from the cloud provider. It is also recommended to implement a federated identity management strategy, so that an organization can leverage its own granular user directory with its cloud service to enable true, granular, role-based access.
With Software as a Service (SaaS), the customer does not have the ability to implement these types of controls and must have trust in their cloud provider, but they should do their best to get contractual commitments for the presence of these controls. In all cases, the customer should try to either implement or request extensive logging to measure their data security controls.
How has the security industry responded to your recent announcement of the Certificate of Cloud Security Knowledge (CCSK) program? What led to the formation of this certificate? How has the security community responded?
It has been very positive from the security solution providers, security practitioners and even cloud providers. Virtually everyone is committed to getting employees certified and feel this is raising the baseline of cloud security knowledge a professional should have.
We all know that a certification is not a panacea, but even when parties are debating about the relative merits of a security certification, they are helping get the industry focused of security awareness and education. We have planned a user certification from the beginning as a natural extension of the body of knowledge we are creating.
How do you see cloud computing evolving in the near future?
I see a lot of private cloud adoption in the near term, but as we start to get a few compliance case studies publicized, I believe we will see the pendulum swing back to public cloud adoption.