That user concerns about security and related matters are part and parcel of how and when cloud computing—whether on-premise, in public clouds or a hybrid—gets adopted isn't news. Even if the risks are sometimes more about perception than reality, the fact remains that survey after survey puts “security” at or near the top of inhibitors to cloud adoption. And that makes understanding how to mitigate these risks an industry priority given the flexibility, agility and cost benefits that cloud computing can bring.
Many companies and groups are working to address security challenges in various ways. The Cloud Security Alliance (CSA), founded in 2009, is one of the most important of such initiatives because it's arguably the organization taking the broadest view of the problem. It's a not-for-profit organization whose mission is to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure additional forms of computing.
Red Hat has been participating in the CSA community for nearly two years, and has been working to bring awareness and utilization to the tools built by the CSA to provide security to physical, virtual and hybrid cloud environments. Now, as an official corporate member of CSA, Red Hat will continue to drive a focus around open standards and security to protect enterprise workloads in the cloud.
The CSA has a broad membership with over 130 corporate members. This includes IT vendors like Red Hat who sell to a wide range of industries. But it also includes companies, such as healthcare technology supplier McKesson, that specifically work in industries that are highly regulated and significantly affected by data privacy requirements. It includes professional services firms with an interest in security and compliance issues, such as Ernst & Young and PwC. It includes government agencies such as the Department of Defense and suppliers to those agencies such as Raytheon. And it includes large technology end users such as eBay. The CSA also has a whopping almost 40,000 individual members in its LinkedIn group.
One specific CSA initiative is its Cloud Security Alliance Cloud Controls Matrix (CCM). CCM is designed to provide fundamental security principles “to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.” The goal here is essentially to provide structure so that security can be evaluated in a systematic way. Specifically, in the CSA's words, to provide:
“...organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.”
It's important to be systematic in this way because security isn't one thing. In fact, the CCM considers 98 distinct areas of control across 13 different domains; such as compliance, resiliency and information security. Each of these areas of control is then mapped to the area of IT architecture where it plays (e.g., networking, data or compute), its relevance to different cloud service delivery models (IaaS, PaaS and SaaS), and its relationship to a wide range of regulations. Even a quick scan of the detailed matrix gives a sense of the degree to which the CCM provides a very specific practical framework that organizations can use. (A 2009 study by the European Network and Information Security Agency (ENISA) provides a framework that's in a somewhat similar vein.)
The CCM (or an alternative document called the Consensus Assessments Initiative Questionnaire) can be used by cloud users to structure their own evaluations of cloud providers. However, these documents are also inputs to another CSA initiative called the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that “documents the security controls provided by various cloud computing offerings.” Cloud providers can submit self-assessment reports that document their compliance to CSA-published best practices. The CSA's goal is to make it easier and faster for cloud users to do their due diligence and generally move to an environment where security practices are more transparent and even used as a differentiator among different cloud providers.
The CSA also conducts research into cloud computing. Most recently, on September 27, it released the results of a Cloud Market Maturity study, a collaborative project with ISACA, intended to provide business and IT leaders with insights into the maturity of cloud computing. While the report found many positive indicators, it also identified a number of areas in which the survey respondents had less confidence in cloud computing. We were particularly interested to note that a number of these—such as exit strategies, longevity and credibility of suppliers, integration with internal systems and contract lock-in—very much talk to the need for an open, hybrid approach to cloud computing. That's why we at Red Hat firmly believe that open and hybrid are essential elements of a cloud strategy, as we discuss in this whitepaper.
You might not always know it from the predictable breathless headlines one sees whenever there are reports of a provider's service outage or security breach, but cloud security discussions are moving beyond the naïve “is it safe?” stage. They always have been, really, among knowledgeable security practitioners. They understand that cloud security is part of a broader IT governance discussion and that security exists in the context of the many tradeoffs that are always being made with IT systems. But those nuanced analyses are becoming more mainstream. And one of the important reasons this is happening is that organizations such as the CSA are helping to codify best practices and make them easier to consume.
Learn more about Red Hat’s work in the cloud computing space here.