Secure Cloud Practices Still Ramping
Amid failures and breaches, public and private sector groups are at early stages of fending off breakdowns and hacks; existing standards often neglected.
Insurance Networking News, June 8, 2011
Cloud computing is in the news, though not in the way its proponents have hoped. While advertisers market the arrival of "the cloud" in television advertisements, the new technology is gathering at least as much attention for a series of breaches and failures.
The computing industry is expecting widespread transformation to the new computing model that summons computing, storage and software on demand, often through third-party providers that might share computing resources and host their own services through more external service providers.
Advertisement
The mix of off-premise players and multiple connections has introduced new risks. Beyond embarrassment to large brand names including Sony, Amazon and Google, it is feared that more failures will dampen enthusiasm for early adopters.
Analysts with Forrester Research are predicting the cloud computing market to reach $241 billion by 2020, but near-term risk has come clearer in a series of incidents. After a security failure last month potentially exposed account information on 100 million users, Sony's Playstation Network was hacked a second time, resulting in ongoing intermittent downtime for paying subscribers. Amazon was forced to apologize for an April event that cause an extended outage to customers of its computing and database services.
"Some pre-Internet era companies like Sony may have shown a bit of hubris to the implications of cloud computing," says Mike West, Distinguished Analyst at Saugatuck Technology. "And now it's going to cost them in services that were paid for in advance."
West says Internet-age provider Amazon were quicker to recover and saved face by providing visibility to its problems. But beyond accidental failures, more data breaches at RSA and attacks on Google's gmail accounts have raised awareness that criminal and politically-driven elements are actively looking to create mayhem or steal data held by sophisticated providers.
Government and non-profit groups are organizing to create standards for cloud computing and practices for defending it, though efforts are still ramping.
The National Institute of Standards and Technology within the U.S. Dept. of Commerce announced a program in 2009 to look at ways of securing information for federal agencies adopting cloud technology.
Last month, the group issued a draft release of recommendations and will be accepting comments for a final version through June 13, according to NIST spokesperson Evelyn Brown. The final version will not be released until the end of this year.
NIST is collaborating and taking input from groups like IEEE, which is very focused on cloud security, Brown says. "Our own work is also pushed by [federal CIO] Vivek Kundra who has pointed out the need for federal government and contractors to move toward appropriate applications of cloud computing."
In the private sector, the non-profit Cloud Security Alliance (CSA), a group that includes prominent vendors, service providers, consultants and institutions was launched at a conference held by security specialist RSA in 2010.
In its 2011 summit, the group talked about standardizing best practices and collaborative incident response teams of programmers and security experts as part of a 2011 roadmap that has only partially played out.
Computer Security Incident Response Teams (CSIRTS) are described by CSA as the "cornerstone" of coordinated incident response and computer security information sharing for governments and large enterprises. The model has been used respond to incidents of malicious activity on the Internet.
For more information on related topics, visit the following channels:
