Can we simplify cloud security?

Last week, the Cloud Security Alliance had its EMEA congress in Amsterdam. The day before, I got a chance to be the instructor on a CCSK workshop (Certificate of Cloud Security Knowledge).

The lineup of industry experts at the congress was awesome, it included people directly involved in the security of the biggest cloud computing providers in the world, as well as security officers of their largest consumers. And they talked to one another in the most productive way.

One example of a reassuring statement was from an Amazon security officer: “we don’t have a security budget, our security funds are effectively unlimited”.

The feeling I had after delivering the CCSK training was that people need to know more about how to contract a cloud provider in a professional way. In particular it is important to know how to manage the risks. For example, the customer might need to ensure that data at rest with the provider is encrypted. While evaluating a potential cloud provider, it might be important to check this ‘control’.

Now try to think how this scales from the perspective of the cloud consumer: they need to check this and a few hundred other controls for potentially dozens of cloud providers. Similarly, the cloud providers get these questions from most of their prospective customers. If cloud computing is to deliver on its promise, this is a process that needs structure and automation. If not, it will become too cumbersome.

Just imagine what it would take to audit all your cloud providers on a regular basis. Now think about a few hundred controls for a few dozen cloud providers and doing this every couple of weeks. Think of the paperwork associated with that, for you as well as for the cloud provider. I know of a smallish provider who has somebody full-time dedicated to answering these questions.

There has to be a better way, and I think the Cloud Security Alliance is the best community to develop it with.