Uncertainty about cloud-service security is among the biggest barriers to adoption in the business world. Verifying a cloud service's security is tough, especially because cloud providers are hesitant to reveal details -- and understandably so.
Fortunately, a group called the Cloud Security Alliance (CSA) has emerged to help alleviate would-be customers concerns, and it's becoming the de facto standard for cloud security guidance for service providers, users, and auditors.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Trust us, we're secure
Cloud providers' hesitancy to share precise details of their offerings' security doesn't instill much confidence in IT security admins, but in many cases, it's not a matter of vendors trying to be devious or hide something. Rather, as they are learning what it means to secure cloud assets and developing standards and controls, they are trying to come up with documentation that satisfies customer requests -- without revealing too much information.
Observers in favor of cloud vendors revealing every detail of every security control often argue that sharing such data is akin to publishing a cryptographic algorithm for public review: Even if it is disclosed to the world, it should not result in a weakening of the provided protection.
But computer defense strategies aren't crypto ciphers, and disclosing too much could help an enemy. There's a reason why the world's navies don't announce to each other where all their submarines will be on a given day. There is value in keeping defensive strategies secret. As I've said before many times, security by obscurity does have value.
In order to protect their security secrets while addressing would-be customers' questions, many cloud providers have hired third-party auditors to perform security audits and have then released the results to interested customers. Traditionally, the Statement on Auditing Standards (SAS) 70 Type II is the most common U.S.-based cloud audit standard you'll see. Other cloud auditing standards have been developed, including CloudAudit, CloudTrust, and ISACA's Cloud Computing Management Audit/Assurance Program. A few cloud providers have flashed their military or defense department accreditations. But there hasn't been one global cloud-security auditing standard -- until now, through the CSA.