3
CLOUD COMPUTING June 2009 Computer Fraud & Security 5 Cloud computing - A question of trust The multifarious risks posed by the new IT delivery model, ranging from a poten - tial lack of awareness of where data is held to possible insider threats and vendor lock-in, have been well documented. One of the key promises of cloud is the speed and ease with which organisa - tions can temporarily access additional compute resources if required – so-called cloud-bursting’. However, there is a ten - sion between this, and the need for due diligence via mechanisms such as audit - ing, which inevitably take time. Whether data owners purchase $150 worth of processing capacity for the day or spend millions of dollars on a five- year IT outsourcing contract, they still have ultimate responsibility for their corporate information. And it is they that will be held to account if things go wrong and they find themselves in breach of the current morass of legisla - tion and regulations in this area. “One of the key promises of cloud is the speed and ease with which organisations can temporarily access additional compute resources if required so-called ‘cloud-bursting.” But while such considerations are cur - rently acting as a break on cloud adop - tion among large enterprises beyond a few commodity services such as email security or departmental CRM, the same is not necessarily true of small to medi - um-sized businesses, which are often less aware of the risks. The need for assurance Nonetheless as Gerry O’Neill, chief execu - tive of the Institute of Information Security Professionals (IISP) points out: “It only takes a couple of incidents to undermine confidence. So you have to ask – where does the assurance come from? That’s key a fundamental building block.” But today there is little such assurance. Instead what there is, are various frame - works for defining cloud models and for helping organisations to ask the right questions. The CSA, for example, has produced its Security Guidance for Critical Areas of Focus in Cloud Computing . 1 The 84-page document, which was produced in about four months by around 60 expert contributors, is intend - ed to provide security practitioners with guidelines for discussing issues such as risk management, portability and disas - ter recovery with their suppliers. The goal, indicates Nils Puhlmann, co-founder of the CSA and chief security officer at Qualys, which provides hosted vulnerability management and policy compliance services, is first to offer “edu - cation and second, transparency”. You can’t ask providers to make all information public as it’s anti-compet - itive and unfair. But you can ask what things are expected and what should be made transparent. If you have that, you can ask vendors to show you evidence of what they’re doing in x or y area. It’s about risk awareness,” he says. The next step for the CSA is to have working groups focusing on hot button topics such as identity management gener - ate more detailed recommendations. These will be fed into version 2.0 of its document - a graphics-based report providing guid - ance that can be used not only by custom - ers but also by vendors as to what should be included in their offerings. Secure business-to- business collaboration The Jericho Forum, on the other hand, has devised a cloud cube model, which defines different flavours of cloud and raises issues that organisations should think about if wishing to exploit them. Its ultimate aim, however , is to move the debate beyond the current focus on one-to-one cloud vendor-to-customer relationships and on to secure business- to-business collaboration. This means finding ways to ensure that providers can pass data securely and seamlessly between themselves in order to process a given task from end-to-end. Andrew Yeomans, a member of the Jericho’s Forum’s board of management, says: “There’s a subt l e di ff erence in archi - t ecture, but f or most cl oud provi ders, it’s not t he end game.” As a resul t, much wor k still needs to be done around developing suitable identity and authorisation controls as well as open and interchangeable file f ormats f or secure data exchange – t he l atter area being one in which t he Open Group standar ds body is current l y wor king. Another tack that one of the Jericho Forum working group’s is taking, how - ever, is to devise self-assessment criteria for vendors to evaluate whether their offerings, which include cloud, match the organisation’s deperimeterisation and collaboration-oriented architectures framework specifications. Due to the risk of dishonesty inherent in self-assessment exercises, however , when the checklist is Catherine Everett Both the Jericho Forum and the newly-established Cloud Security Alliance (CSA) have grabbed many a headline lately in their respective attempts to assuage some of the widespread information security concerns around cloud computing. The question is, are such initiatives enough?

Cloud computing – A question of trust

Embed Size (px)

Citation preview

Page 1: Cloud computing – A question of trust

CLOUD COMPUTING

June 2009 Computer Fraud & Security5

Cloud computing - A question of trust

The multifarious risks posed by the new IT delivery model, ranging from a poten-tial lack of awareness of where data is heldto possible insider threats and vendorlock-in, have been well documented.

One of the key promises of cloud isthe speed and ease with which organisa-tions can temporarily access additional compute resources if required – so-called‘cloud-bursting’. However, there is a ten-sion between this, and the need for due diligence via mechanisms such as audit-ing, which inevitably take time.

Whether data owners purchase $150wworth of processing capacity for the day or spend millions of dollars on a five-year IT outsourcing contract, they still have ultimate responsibility for theircorporate information. And it is they that will be held to account if things go wrong and they find themselves inbreach of the current morass of legisla-tion and regulations in this area.

“One of the key promises of cloud is the speed and easewith which organisations can temporarily access additional compute resources if required –– so-called ‘cloud-bursting.”

But while such considerations are cur-rently acting as a break on cloud adop-tion among large enterprises beyond a few commodity services such as emailsecurity or departmental CRM, the sameis not necessarily true of small to medi-um-sized businesses, which are often less aware of the risks.

The need for assurance

Nonetheless as Gerry O’Neill, chief execu-tive of the Institute of Information Security Professionals (IISP) points out: “It only takes a couple of incidents to undermine confidence. So you have to ask – where does the assurance come from? That’s key – a fundamental building block.”

But today there is little such assurance.Instead what there is, are various frame-works for defining cloud models and forhelping organisations to ask the right questions. The CSA, for example, has produced its Security Guidance for Critical Areas of Focus in Cloud Computing.gg 1

The 84-page document, which was produced in about four months by around 60 expert contributors, is intend-ed to provide security practitioners withguidelines for discussing issues such asrisk management, portability and disas-ter recovery with their suppliers.

The goal, indicates Nils Puhlmann, co-founder of the CSA and chief security officer at Qualys, which provides hostedvulnerability management and policy compliance services, is first to offer “edu-cation and second, transparency”.

“You can’t ask providers to make allinformation public as it’s anti-compet-itive and unfair. But you can ask whatthings are expected and what should be made transparent. If you have that, you can ask vendors to show you evidenceof what they’re doing in x or y area. It’sabout risk awareness,” he says.

The next step for the CSA is to have g g p gworking groups focusing on hot button

topics such as identity management gener-ate more detailed recommendations. These will be fed into version 2.0 of its document- a graphics-based report providing guid-ance that can be used not only by custom-ers but also by vendors as to what shouldbe included in their offerings.

Secure business-to-business collaborationThe Jericho Forum, on the other hand, has devised a cloud cube model, whichdefines different flavours of cloud and raises issues that organisations should think about if wishing to exploit them.

Its ultimate aim, however, is to movethe debate beyond the current focus onone-to-one cloud vendor-to-customer relationships and on to secure business-to-business collaboration. This meansfinding ways to ensure that providers can pass data securely and seamlessly between themselves in order to process a given task from end-to-end.

Andrew Yeomans, a member of the Jericho’s Forum’s board of management,says: “There’s a subtle difference in archi-tecture, but for most cloud providers, it’snot the end game.” As a result, much work still needs to be done around developing suitable identity and authorisation controls as well as open and interchangeable fileformats for secure data exchange – the latterarea being one in which the Open Group standards body is currently working.

Another tack that one of the JerichoForum working group’s is taking, how-ever, is to devise self-assessment criteria for vendors to evaluate whether their offerings, which include cloud, matchthe organisation’s deperimeterisation and collaboration-oriented architectures

kframework specifications. Due to the risk of dishonesty inherent in self-assessment

, ,exercises, however, when the checklist is

Catherine Everett

Both the Jericho Forum and the newly-established Cloud Security Alliance(CSA) have grabbed many a headline lately in their respective attempts to assuage some of the widespread information security concerns around cloud computing. The question is, are such initiatives enough?

Page 2: Cloud computing – A question of trust

CLOUD COMPUTING

Computer Fraud & Security June 20096

released later this year, feedback mecha-nisms will be put in place under whichany bogus claims may be challenged.

But the guidelines are also expected tobe employed by user organisations when wwriting their requests for proposals, in a move Yeomans believes will break “thedeadlock between suppliers saying ‘users haven’t asked for it’ and users saying ‘you didn’t have it so we couldn’t ask’”. They could likewise form the basis of propos-als for industry standards and be passedon to relevant bodies for ratification.

Formal accreditation

WWhat Yeomans is less certain of, however,is whether such self-certification activity is likely to develop into a more formalaccreditation process. “We’re trying to steer a delicate line as we’re not an accreditationbody. But you could hand it off to a third party, although it’s difficult to find some-one suitable, or you could take the criteria and do it as a paid for service,” he says.

The Jericho Forum and the CSA arenow working together and have pro-duced a document that provides best practice guidelines for cloud computing security. a single document, although the two are currently discussing possible areas in which they could collaborate.

But opinion is mixed as to whether a formal accreditation process would actually provide large organisations inparticular with the assurance required toparticipate seriously in the cloud world.

The CSA and Qualys’ Puhlmann, for example, is against such a move as he believes it would stifle industry innova-aation. “If you look at the business model of cloud computing, what drives it is creativity. Many vendors will try and offer things that are currently unimaginable, but trying to squeeze all that into one standard is very dif-ffficult and standards around security haven’t wworked very well in the past,” he says.

But other industry players disagree. Paul Dorey, chair of the IISP and direc-tor of the Security Faculty, which pro-vvides training and development services

y ,for chief security officers, believes there

will come a time when cloud serviceswill need to have “some kind of accredi-tation stamp”.

Accreditation in three spheresThis security-based accreditation wouldcover three key areas – technology, per-sonnel and operations. Although thereis precious little around at the moment,technology standards in key areas such as identity and authentication are likely to be driven by organisations such as the Jericho Forum, before being ratified by established bodies such as ISO.

“Opinion is mixed as to whether a formal accredita-tion process would actually provide large organisationsin particular with the assur-ance required to participate seriously in the cloud world.”

On the people side, the IISP has already come up with mechanisms for the formal accreditation of security pro-fessionals, while the operations element has workable solutions available too.

This part of the equation could be tack-led by tweaking ISO 27001 and using it as the default measurement standard within the framework of the Statementon Auditing Standard (SAS) 70. SAS 70 is already used as a means of auditing pro-viders in the traditional outsourcing spaceand cuts down on the amount of timeinternal audit teams need to spend onchecking out third party facilities.

Indeed, according to Dorey, Security Faculty members in the three most secu-rity aware sectors of financial services, oiland gas and telecommunications, were showing an interest in just this idea of fitting an acknowledged standard intoSAS 70 during recent meetings.

“There was a sense that they’re facing growing pressure and cloud is starting tohappen on the edge rather than the main-stream. They believe that departments will

g ymigrate into it and feel that they have to

ensure the controls and security measures are there to do it in a safe way,” he explains.

The need for co-ordination

One of the problems at the moment,however, is that there is no single body coordinating the many, varied and sub-sequently fragmented activities that are going on in the cloud security space - although an IISP meeting in Manchesterin May did discuss setting up a working group to tackle just that issue.

“We’re connected to everyone so we’revery active and by the end of the year, we ought to look to have some kind of draft available. Adoption of a full international standard takes years, but what matters is that someone produces useable material, which in this de facto world is likely to become standardised,” Dorey says.

A question of trust

A subsequent future step might also be to set up an independent third party assurance body to accredit or kite mark cloud vendors as being secure as part of a confidence-building exercise. Shouldsuch action not take place, however, themarket runs the risk of being discreditedin the way described by Nobel Prize-winning economist George Akerlof in his famous paper, A Market for Lemons.2

In this document, Akerlof outlines how people learned over time not to trust sec-ond hand car salesmen. This was because they had no means of judging for them-selves whether a given car was a ‘lemon’and, therefore, all too often ended up pur-chasing over-priced rubbish. This, in turn, damaged the market for higher priced,quality automobiles as they were perceivedas too expensive to take a chance on.

“Although one provider may offer a wonderfully secure serv-vvice and another may not, if the latter charges half the price, themajority of organisations will opt for it as they have no real

y gway of telling the difference.”

Page 3: Cloud computing – A question of trust

GLOBAL ID MANAGEMENT

June 2009 Computer Fraud & Security7

Addressing global ID management challenges

Faced with threats from cybercrimi-nals, attacks on computer systems,the potential for breaches of personal identifier information (PII) and the need to protect access to informationand facilities, these organisations areturning more and more to identity management solutions to mitigate the current and anticipated threats.

The need to know who someone is and whether (or how much) of a risk they present, with accuracy and in real time, is the underlying identity man-agement tenet for trusted interactionsin both the physical and digital worlds.The identification challenge impacts individuals, government, commerce and national security. It is the key component for digital transactions and interactions.

Defining identity managementIdentity management has been described as a hard problem, which isboth complex and broad. This makes it difficult to come to a consensus on key definitions. One comprehensive definition describes identity management as a set of poli-cies, processes, tools, connectivities andsocial contracts protecting the creation,maintenance, use and termination of an identity. Based on this definition, iden-tity management encompasses severalareas including risk management, duediligence, granting documents and cre-dentials, information security, informa-tion assurance, access control, privilegemanagement, authentication and policy

gmanagement.

Solving the identity management chal-lenges requires greater collaboration acrossall aspects of society. There is a need for society to take a more horizontal approachthan vertical when innovating to manageidentities. Public/private collaborations comprised of government, industry and academia are necessary in order for theseissues to be fully addressed. When raisedto the world stage, collaborative efforts are critical in facilitating commerce, creat-ing interactions among governments and especially in combating the growing threatsfrom cybercriminals.

“Managing the challenges associated with identity management also demands aholistic approach.”

Cross disciplinary study and research is also essential. Because of the complex and multi-faceted aspects of identity management, collaboration from diversedisciplines such as computer and electri-cal engineering, informatics, law, policy, criminal justice, and business is vital.

Managing the challenges associated with identity management also demands

ppa holistic approach. There are a number

Gary R. Gordon, executive director, Center for Applied Identity Management ResearchSuzanne Barber, director and Professor, The University of Texas at Austin

Identity management is a maturing field, but still very much a work in progress.Organisations and their leaders are becoming more aware of the role that it plays in mission critical areas of their entities and the interactions of all the individuals and organisations the entity touches.

And the same theory applies to the cloud sector. As Tim Watson, head of thecomputer forensics and security groupat De Montfort University, points out,although one provider may offer a wonder-fully secure service and another may not, if the latter charges half the price, the major-ity of organisations will opt for it as they have no real way of telling the difference.The problem with this situation is that, over time, as publicity over informationsecurity breaches continues to mount, theentire sector could well fall into disrepute.

“But with an independent assurancebody you can trust, the market suddenly changes because you can tell the differ-ence between good and poor quality. Soit’s important just from a pragmatic eco-nomic perspective,” Watson concludes.

References

1. Security Guidance for Critical Areasof Focus in Cloud Computing, Cloud Security Alliance, April 2009 <www.cloudsecurityalliance.org/guidance/>

2. George Akerlof, ‘A Market for Lemons’,The Quarterly Journal of Economics, Vol. 84, No. 3. (Aug., 1970), pp. 488-500 < www.jstor.org/pss/1879431>

About the author

Catherine Everett is a freelancer who has been writing about business and tech-nology issues since 1992. Special areas of focus include information security, management issues, skills and high-end software.

http://www.cloudsecurityalliance.org/guidance/
http://www.cloudsecurityalliance.org/guidance/
http://www.jstor.org/pss/1879431

185102 - Fundamental of Computing and Programming Question Bank

185102 - Fundamental of Computing and Programming Question Bank

Documents
Reconfigurable Computing - University of Guelphislab.soe.uoguelph.ca/sareibi/TEACHING_dr/... · Reconfigurable Computing ENGG*6530 - W17 - Shawki Areibi Question List Question I Question

Reconfigurable Computing - University of Guelphislab.soe.uoguelph.ca/sareibi/TEACHING_dr/... · Reconfigurable Computing ENGG*6530 - W17 - Shawki Areibi Question List Question I Question

Documents
Computing Cooperatively with People You Don't Trust

Computing Cooperatively with People You Don't Trust

Education
Can You Trust The Cloud? - ADMIN Magazine€¦ · Can you trust ‘the cloud’? ... Understanding the vulnerabilities ... Cloud computing Cloud computing offers a new and powerful

Can You Trust The Cloud? - ADMIN Magazine€¦ · Can you trust ‘the cloud’? ... Understanding the vulnerabilities ... Cloud computing Cloud computing offers a new and powerful

Documents
Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Technology
CS6703 GRID AND CLOUD COMPUTING-QUESTION BANK

CS6703 GRID AND CLOUD COMPUTING-QUESTION BANK

Documents
Advanced Higher Computing Science Question Paper 2016 … · 2017. 1. 9. · Advanced Higher Computing Science Question Paper 2016 Candidate 4 13 of 14. Advanced Higher Computing

Advanced Higher Computing Science Question Paper 2016 … · 2017. 1. 9. · Advanced Higher Computing Science Question Paper 2016 Candidate 4 13 of 14. Advanced Higher Computing

Documents
Trust and Cloud computing, removing the need for the consumer to trust their provider

Trust and Cloud computing, removing the need for the consumer to trust their provider

Technology
A SURVEY ON TRUST MANAGEMENT IN CLOUD COMPUTING A …

A SURVEY ON TRUST MANAGEMENT IN CLOUD COMPUTING A …

Documents
Global Computing: an Analysis of Trust and Wireless Communications

Global Computing: an Analysis of Trust and Wireless Communications

Science
Soft-Computing Based Trust Management …Soft-Computing Based Trust Management Framework for Group Key Management in MANETs Nagaraja Gundluru1* Pradeep Reddy Ch1 1School of Information

Soft-Computing Based Trust Management …Soft-Computing Based Trust Management Framework for Group Key Management in MANETs Nagaraja Gundluru1* Pradeep Reddy Ch1 1School of Information

Documents
IT6601 Mobile Computing 2 mark question and answers

IT6601 Mobile Computing 2 mark question and answers

Documents
Cross-Tenant Trust Models in Cloud Computing

Cross-Tenant Trust Models in Cloud Computing

Documents
Trust and Grid Computing Systems Presented By: Woodas Lai

Trust and Grid Computing Systems Presented By: Woodas Lai

Documents
A Question of TrustAQuestion of Trust - Prashanth Ellinancertbooks.prashanthellina.com/class_10.English... · A Question of TrustAQuestion of Trust 4 READ AND FIND OUT • What does

A Question of TrustAQuestion of Trust - Prashanth Ellinancertbooks.prashanthellina.com/class_10.English... · A Question of TrustAQuestion of Trust 4 READ AND FIND OUT • What does

Documents
W-8BEN-E FORM GUIDANCE (TRUST ACCOUNTS)...• Part I, Question 1 – Name of Trust (Do NOT abbreviate the trust name. It must be as it appears on the Trust Deed). • Question 2 –

W-8BEN-E FORM GUIDANCE (TRUST ACCOUNTS)...• Part I, Question 1 – Name of Trust (Do NOT abbreviate the trust name. It must be as it appears on the Trust Deed). • Question 2 –

Documents
Trust in Mobile Computing

Trust in Mobile Computing

Technology
Leveraging Human-Centered Computing with Trust

Leveraging Human-Centered Computing with Trust

Technology
Security, Safety and Trust in Ubiquitous Computing

Security, Safety and Trust in Ubiquitous Computing

Documents
Windows Vista and Trust Worthy Computing

Windows Vista and Trust Worthy Computing

Documents
Parliamentary Ethics - A Question of trust (Codes of Conduct)

Parliamentary Ethics - A Question of trust (Codes of Conduct)

Documents
Trust in Cloud - Ihre Rechte und Pflichten beim Cloud-Computing

Trust in Cloud - Ihre Rechte und Pflichten beim Cloud-Computing

Technology
Trust and Trusted Computing in VANET

Trust and Trusted Computing in VANET

Documents
Security, Privacy & Trust in Ubiquitous Computing

Security, Privacy & Trust in Ubiquitous Computing

Documents
To Trust or not to Trust, telle est la question. Et si nous renversions quelques hypothèses ?

To Trust or not to Trust, telle est la question. Et si nous renversions quelques hypothèses ?

Technology
IBM Watson Question-Answering System and Cognitive Computing

IBM Watson Question-Answering System and Cognitive Computing

Technology
Cloud Computing- Security Risks, SLA, And Trust

Cloud Computing- Security Risks, SLA, And Trust

Documents
Advanced Higher Computing Science Question Paper 2016 … · Advanced Higher Computing Science Question Paper 2016 Candidate 1 9 of 11. Advanced Higher Computing Science Question

Advanced Higher Computing Science Question Paper 2016 … · Advanced Higher Computing Science Question Paper 2016 Candidate 1 9 of 11. Advanced Higher Computing Science Question

Documents
A TRUST MODEL FOR CLOUD COMPUTING ENVIRONMENT

A TRUST MODEL FOR CLOUD COMPUTING ENVIRONMENT

Documents
Reference language for Computing Science question papers · Reference language for Computing Science question papers This document introduces the reference language used to present

Reference language for Computing Science question papers · Reference language for Computing Science question papers This document introduces the reference language used to present

Documents