Few doubt the potential benefits of cloud computing and storage -- on-demand access to computing and storage resources where cost is directly correlated to system usage. But what about securing those servers, applications, and the data being hosted and managed by the cloud services providers? How does the service provider ensure the data remains confidential, isn't altered, and is always available when needed?
While cursory answers to those questions may satisfy many small businesses for some of the data they store and manage on cloud-based services, that's not good enough for IT systems being managed for government agencies, heavily regulated companies, or retailers that fall under the umbrella of Sarbanes-Oxley, the Health Information Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS).
Public companies, because of Sarbanes-Oxley, need to verify that adequate controls are in place to keep financial information secure from tampering and unauthorized eyes, and online retailers need to be certain that all of the many controls of PCI DSS are in place. If regulated businesses, or more importantly the auditors and regulatory authorities, are not convinced that cloud service providers are secure and they fail to properly substantiate the security they have in place, it's a showstopper for the technology's adoption by enterprise IT departments.
As more complex systems, and data with high business value, are moved to cloud services, so must nearly every aspect of IT security management. That includes everything from encryption and key management, e-discovery, application security and governance, risk, and compliance frameworks.
Industry participants created the Cloud Security Alliance, announced Tuesday, as a not-for-profit organization with the mission of promoting the use of best practices to providing security assurance within cloud computing.