After some filming over lunchtime, I’ve re-joined the Cloudscape event in the trust, legal and security issues session. Chaired by Craig Lee, of the OGF Board of Directors, the session covered the work of several organisations in this crucial area. As we heard in the opening session, for most users, cloud security is the top concern – although what scientists, businesses and governments tend to mean by the term ‘security’ can be very different.
The Cloud Security Alliance is a not-for-profit organisation, led by a coalition of industry practitioners and corporations, who promote the use of best practices for providing security. Daniele Catteddu of the CSA and EMEA assured us that data should be at the centre of the new IT landscape. The experience of early cloud adopters shows that before considering moving to the cloud, the first issue is to identify your requirements clearly, so that you remain in control of your data.
Philippe Massonet, of CETIC told us about the Common Assurance Maturity Model. CAMM provides a framework in the area of information assurance maturity. This helps cloud consumers to compare suppliers in terms of compliance to information assurance and security. For Philippe, the take home message is to compare cloud offerings at a high level and manage the approach to security at a similarly high level.
Dennis Gannon, of the Technology Policy Group at Microsoft looked at cloud policy and data privacy, and reminded us that not all data is created equal, and security needs are not uniform. For scientific users for example, data security is not as big an issue as for governments and business – in fact the issue is more to make sure it is widely available.
Elmar Husmann of IBM, who introduced the TCloud environment, argued for clarity in discussing security. Cloud providers should make it clear that varying levels of security may apply to different services. This should be transparent at the deployment phase, so highly critical applications are deployed to the clouds that can attach an appropriate level of security. Standardisation in the enforcement of security is key to transparency.
The final word from the panel was on cybercrime. Protection against complex malicious threats is more important than ever now that clouds increasingly have critical parts of the infrastructure. Cybercrime can be committed by targeting “inside” processes, through the people involved for example. Finding the means to detect this type of activity is a significant new topic for research. Dana Petcu, of the e-Infrastructure Reflection Group alerted us that it is much easier to destroy than to construct, and tighter legislation in this area is needed. However, Ian Osborne of Intellect pointed out that cloud essentially works on a commodity service business model, ie competitively priced. This is not necessarily something that you can compare with your home built security system. Intellect represents the UK technology industry, including more than 800 companies ranging from SMEs to multinationals. However, the overall message from the panel is that cloud security should be raised where it can be, in a transparent and standardised way – if only because this is the number one concern of the customers.