Cloud Security Gets Organized


Cloud security has become very important now that companies are outsourcing their critical data. As a result, organizations are forming to discuss the issues and provide guidance and even some standards to improve security in the cloud. One such organization is the Cloud Security Alliance (CSA) which was formed by representatives from a wide swath of the IT industry. None of the big traditional assurance firms are represented in the Alliance, although the Information Systems Audit and Control Association (ISACA) is one of the founding members.


The Alliance is beginning to have an impact. It is having conferences, with one recently held in October and one planned for February, 2011, and has issued guidance, the latest being Version 2.1 of its centerpiece “Security Guidance for Critical Areas of Focus in Cloud Computing” as well as a a paper on Identity and Access Management. Other important projects are underway.


Recently, the CSA took on CloudAudit as one of its projects. CloudAudit is a separate organization whose goal "is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology."


This initiative takes CSA firmly into the automated assurance space. All of this should lead to better security practices in the cloud.