The need for a Cloud Computing Security referee

refereeIn the world of information technology cloud computing is the latest game in town, but currently we can't even agree on the definition of the game, much less what the playing field looks like or the rules of the game. The referees, if they are out there, are in hiding.

Still A lot of people are playing the cloud computing game because there is news broadcasting about it every day. Companies everywhere are asking about it because it's rumored to perform the magical CapEx/OpEx swap and deliver potentially huge potential savings. The emerging players (big or small, new and old) are fighting for your attention like a pack of wild hungry dogs because they haven't had a real meal since 2007 (the last of the big huge enterprise software/hardware sales deals). The problem in all the excitement however is that whenever one of the players gets to hold the mic for long enough they start telling you what the rules are. Even more worrisome is that they are just making it up as they go along in the hopes that they might be the ones to control the game.

Nowhere is this disruption more evident than as it relates to understanding the security risks of cloud computing. Almost overnight the entire security industry downloaded the latest cloud clip art and re-branded themselves to ride this new wave, but the truth is that cloud computing is a disruptive force in the industry and some of us just aren't going to survive in the new world. Many are going to be left behind as the traditional information security and risk companies struggle to find their footing. The problem is that there are already a  lot of cloud computing security and risk issues emerging that are not getting addressed and these risks I believe threaten to disrupt the promising future of cloud computing.

In traditional IT you have your security, audit or risk management teams that know how to deal with IT security risks, but when you move to the cloud who takes over this role? Many providers would now say them, yet their terms of service won't back up this claim. Your companies security concerns have not decreased (likely they increased) and your existing teams can't simply be re-purposed to the cloud as is. Their policies and procedures have been designed for working with IT assets they own and control but when you give much of that up to the cloud how does  your company address it's risks?

With that in mind think about the following emerging issues:

  • Lack of a common definition of cloud computing has emerged (I support the NIST definition which is being supported by the CSA as well)
  • A lot of the information on cloud computing is ad-hoc in a sea of hyperbole and advertising
  • It's impossible to search for cloud computing providers according to a set of business criteria like "My data must remain in the USA, the service must be SAS 70 compliant, and be audited by an external security firm every quarter"
  • Nobody except you cares where your data might be in the cloud and your only assurance is your terms of service
  • Growing concerns over the "audit-ability" of cloud computing providers and the "just trust us" mentality
  • The lack of repeatable transparency between cloud providers and consumers
  • Cloud computing providers suffering to keep up with their customers security information requests (a few examples)
  • Well meaning attempts to create standards for the exchange of security and risk information (e.g. A6 from Ben @ironfog) in the hopes that there will be an exchange of information
  • A very large and growing body of security concerns with cloud computing (e.g. work from the Cloud Security Alliance or the  Jericho Forum) yet no industry solutions emerging to address them

That's a big and scary list with some very real issues on it and traditional  IT security industry is not going to address these issues anytime soon for two reasons. 1) Because there is no "CloudScanner" or "CloudFirewall"  they can create to solve this problem or sell through their existing sales channels and 2) They are going to be distracted for the next 2 years as they busy themselves moving all of their desktop software into the cloud.

I think it's going to take a new category emerging in the security industry that is specifically focused on security for the Cloud. A trusted intermediary that will strive to keep everyone honest. Specifically a cloud computing security referee that can be trusted to keep and eye on the the providers, track their security and compliance status over time and help coordinate security transparency between cloud computing customers and providers.

Before we go any further let me be clear, I'm not proposing that this referee be a in the form of legislation or government mandates. This is an opportunity for new private companies to step in and fill this need. A company that is 100% focused on the cloud and the unique challenges it brings to business.

I'm going to address what I think what a cloud Computing Security Referee company will need to focus on in my next post soon but between now and then I would like to know if you think that a referee can solve the problems that are just now emerging. What do you think the company that steps up to be the referee will need to get right to succeed?