As the cloud becomes more and more a part of our IT world, the elephant in the room emerges: security. Companies have held back from using clouds – or, at least, public clouds – fearing that their data wouldn't be safe.
It's enough of an issue that, at the ISSA CISO Forum in Las Vegas in November 2008, the idea of the Cloud Security Alliance (CSA) was born. Over the past six years, the group has worked to establish standards and best practices to secure the cloud, including the development of CSA STAR (Security, Trust and Assurance Registry), a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
Last month, CSA launched a security certification program in collaboration with (ISC)2, a global, not-for-profit organization that focuses on educating and certifying information security professionals throughout their careers, the Certified Cloud Security Professional (CCSP). The four hour CCSP exam tests competence in the six CCSP domains of the (ISC)² Common Body of Knowledge (CBK), which cover:
- Architectural Concepts & Design Requirements
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Legal & Compliance
This isn't just a paper certification. Candidates must meet real-world criteria before being allowed to try the exam. For the CCSP certification, candidates must have had a minimum of five years of cumulative, paid, full-time information technology experience, of which three years must be in information security and one year in one of the six domains of the CCSP examination. The certification also requires commitment to a code of ethics, endorsement from an appropriate certified professional, and commitment to continuing education. It will become available in June, 2015.
In the face of initiatives like this, CSA CEO Jim Reavis finds it ironic that, given the number of corporate breaches over the past year, people are still worried about cloud security. "Top tier providers are not getting breached," he said. "Often they find evidence that enterprises have been breached." In fact, he noted, recently a provider saw outbound traffic from a major bank (which he declined to name) whose pattern indicated that it was under state-sponsored attack; the attacker was attempting to invade the cloud provider by way of the enterprise.
Cloud providers, Reavis added, can make the kind of investment needed in better intrusion detection systems and better log analytics, which in the case noted above, allowed the provider to detect the attack before the bank was even aware of it. In fact, they have to make those investments since a breach could put the provider out of business, or at the very least, severely impact its business. He wants all providers to show how they operate from a security perspective, to reassure customers that their data is safe, and applauds Microsoft's efforts to provide more transparency in Office 365.
"Our members want all providers to do this," he said.
The Internet of Things and software-define perimeters present new challenges, and Reavis said that means more research – and possibly the founding of yet another arm of CSA. He worries about backdoors into smart appliances, and the state of the cloud ecosystem behind them. He is concerned about the next generation connected car and other "Things" in the Internet of Things that may not be receiving appropriate attention in the corporation. "It's a target-rich environment for bad guys," he said. "It needs board level visibility. It's not a niche for a group of geeks anymore."
This year, he also sees huge challenges in keeping old IT infrastructure chugging along until it can be replaced with newer technology. "Legacy stuff doesn't get care and feeding from manufacturers, and it doesn't take advantage of modern security solutions," he explained. "The perimeter died a long time ago."
"There's only so much education can do."
Sidebar: CSA Milestones
- 2009: Incorporated and issued the first comprehensive best practices for secure cloud computing: “Security Guidance for Critical Areas of Focus for Cloud Computing”
- 2010: Created and maintains the Cloud Controls Matrix (CCM), the world’s only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations
- 2010: Created the first and only user credential for cloud security, the Certificate of Cloud Security Knowledge (CCSK)
- 2011: Hosted the White House at its CSA Summit to announce the US Federal Cloud Strategy
- 2012: Established CSA Europe in Edinburgh, UK
- 2012: Launched the registry of cloud provider security practices, the CSA Security, Trust and Assurance Registry (STAR)
- 2013: Established CSA Asia Pacific in Singapore
- 2013: Launched CSA STAR Certification
- 2013: Release Big Data Security & Privacy Research
- 2014: Established representation in Peoples Republic of China
- 2014: Release Software Defined Perimeter Specifications
- 2014: Launched CSA STAR Attestation