The Cloud Security Alliance (CSA) hosted their annual congress in Florida last week, Nov. 16-17th. One question that was largely absent from this year’s meeting was the repetitive “Will companies move to the cloud?” which necessitated much angst and handwringing. This was instead replaced with the realization that cloud adoption was rapidly becoming an industry reality, and companies must take steps to keep up, or be left behind.
Indeed Symantec’s chairman John W. Thompson’s advice from the podium was “Don’t fight Mother Nature!” which was well received by attendees.
“Trust but Verify” has always been one of the key philosophies of companies when evaluating the security of their vendors, and cloud providers are no exception. However, one of the key concerns regarding cloud is that as it introduces new technologies and operations models, new cloud controls must be created to keep up with the changes, and the question arises: “Where are these cloud security verification controls?”
Luckily, there were numerous cloud leaders and security industry bodies on hand at the conference to start answering the cloud “verification” question including CSA, ISACA, BITS, and CAMM, among others. Even the Federal Government was on-hand with the Federal Risk and Authorization Management Program (FedRAMP), which has been established to provide a standard approach to assessing cloud services. One of its primary benefits is that the cloud vendor’s security results can then be leveraged across the entire Federal Government. Further information can be found here.
Last month, BITS Shared Assessments published “Evaluating Cloud Risk for the Enterprise”, a fifty page guide on the steps necessary to secure cloud. This involved the participation of many industry leaders including Goldman Sachs, US Bank, AT&T, Gartner, KPMG, ISACA and CSA. At the conference, I presented on the new “Delta” cloud controls that are needed to evaluate the security of cloud vendors, and the steps enterprise companies can take to incorporate cloud security into their existing vendor and risk management programs. This Guidance, which was chaired by LiveOps, can be found here.
It was accepted by all, that the process of helping secure the cloud, and create the necessary verification steps involves a progressive and iterative journey. This conference heralded in the first widespread industry commitment to helping achieve this goal, with numerous organizations and companies announcing innovative security programs for the cloud, and with key leadership from the Cloud Security Alliance (CSA). Further information on the Congress can be found here.
Interested in know about LiveOps and our take on Cloud Computing and Security? Check out the recent paper I wrote on Contact Center Security and the True Cloud.