RSA: Cutting Through the Cloud Security Talk

Cloud security was a key buzz phrase at this year's RSA conference in San Francisco this past week. But just what security concerns were top of mind - and how organizations should grade those risks - can be difficult to answer.

Most would agree cloud computing has become one of the catch phrases of this year's RSA's conference in San Francisco.

The overall theme: Security may make or break cloud computing efforts as businesses look to balance the needs of regulations, access management and data protection with the business benefits the cloud can bring to the table. But saying that is the easy part.

Archie Reed, HP's chief technologist for cloud security, noted during a panel discussion Thursday that enterprises should not viscerally declare cloud computing secure or insecure. Businesses need a clear vision of what they want, as the security implications of a cloud computing effort can hinge on what their plans are, he said.

"Stop saying 'cloud,' because that doesn't help. Talk about what you really want," he said.

From there, the security needs can be worked out, he added.

Earlier this week at the conference the Cloud Security Alliance (CSA) published a list of the seven top threats to cloud computing, which touched on a number of issues impacting security. Among them, segmentation and access management challenges caused by IAAS (infrastructure-as-a-service) vendors sharing infrastructure. Strong compartmentalization should be used to ensure individual customers can't impact the operations of other tenants running on the same cloud provider, and customers should not have access to any other tenant's data, the report said.

"Access management is a big area of focus for CSA," Nils Puhlmann, co-founder of the CSA, told eWEEK. "We just announced a big effort working with Novell and other industry experts to define how a proper access model in the cloud would look and how it could easily be audited."

"At the end of the day, every party wants to know access what data, where, at what time and for what purpose," he continued. "But we also are working beyond this to better define identity management in the cloud."

Some of the concerns tied to moving sensitive data into the cloud mirror the concerns that existed in the past regarding traditional IT infrastructures, such as "how do I audit and prove the controls function as designed," Puhlmann said. To address this, cloud providers need to either provide the data to allow for proper logging and auditing or enable others to provide these functions as a service, he said. Additionally, standardized interfaces and APIs can also be used to enable the exchange of relevant data, he added.

During the week, attendees were hit with various surveys about attitudes toward the cloud. In the same session where Reed spoke, a TechTarget survey was referenced that put the percentage of businesses that felt security was the main barrier to cloud computing at 27 percent - a drop off from the 55 percent mark last year. However, during his remarks earlier this week, RSA President Art Coviello made reference to a survey from CIO Magazine that declared more than 50 percent of those surveyed cited security as their greatest concern in regards to cloud computing.

"Something's holding back the full realization of this vision, and that - in a word - is security," Coviello said during his keynote Tuesday.

"Cloud computing," he continued, "will complete the transformation of IT infrastructures unleashed by the Internet. Organizations will demand it because they must, absolutely must, get faster and better returns on their IT investments...The challenge is to ensure that safety is designed and built into the cloud so that organizations of every size, from the smallest merchant or agency to the largest government or multinational can make broad use of the cloud fully confident that their information and transactions are secure."

Symantec CEO Enrique Salem shared similar ideas during his keynote Tuesday as well. The relationship between cloud providers and customers hinges on trust, and security is an enabler of that, he said. Customers need to make sure their service level agreement allows them to have visibility into where their data will be, who will have access to it and how often, he said.

"If you are going to secure information, you ultimately have to know who owns it...It's important the same security you use today on-premise extends out into the cloud," Salem said.