An international coalition is attempting to create due-diligence tools, testing and standards that will help firms determine whether cloud providers are addressing common concerns such as accessibility and security adequately.
“One of the big security issues with the cloud is what defines security. One of the things that we see is every service provider has a different take on security when you are looking to buy. It’s hard to make an informed decision,” says Matthew Lowth, a security architect at National Australia Bank, a coalition member.
“One of the reasons to create standards is so you can scale up and down based on your need to execute a project and have knowledge of the security of the cloud,” Lowth says. “The standards inform consumers that if they buy a certain level of service, they can expect certain levels of security.”
As part of the Open Data Center Alliance, National Australia is working to produce a standard proof of concept and template form that can be used to evaluate and test the level of protection offered by cloud providers and to inform service-level agreements.
Among the new tech tools is a personal engine assistant that allows businesses to standardize cloud-computing requirements that are included in requests for proposal and other documents.
The alliance’s standards include grades that range from bronze to platinum, which participating suppliers agree to follow. The grades note the minimum compliance and security needs of the client that is purchasing cloud services. This security would include access, or the promise that the provider can safely make the necessary capacity available when needed; as well as data breach prevention strategies, fraud mitigation, supply chain risk, authentication, and firewalls and encryption to protect information that resides in the cloud.
The grades would not replace due diligence, but are designed to make it simpler–a “platinum” grade of security would offer protection consistent with the needs of the military, for example; while “gold” would meet the security needs of most financial firms.
The alliance includes companies and IT suppliers that are working toward increasing use of cloud computing by businesses. The alliance includes banks such as JPMorgan Chase, UBS and Deutsche Bank, nonbanks such as BMW and Disney, and a number of vendors that sell and develop cloud solutions. National Australia, JPMorgan Chase and UBS are all also part of a steering committee that is focusing on the standards and interoperability model.
“If we look at the number of providers that have joined and the type of providers that have joined, they have a vested interest in satisfying what large and small businesses want, so they can sell more software. We think the combined powers” of the vendors and other participants “is a powerful incentive for cloud suppliers to build out to the standards,” says Denis McGee, general manager of application development and testing at National Australia.
The alliance has 350 members globally, and would work in conjunction with other standards organizations, McGee says.
The standards are obviously not regulations, but the goal is to make the standards part of service level agreements signed by firms and cloud service providers. “Three hundred and fifty members is a lot of purchasing power,” McGee says.
The providers have reason to be concerned about the image of cloud security. In a January survey of government agencies by the 1105 Government Information Group, more than half of the respondents said cloud solutions aren’t secure enough.
A majority cited security concerns such as data loss, identity authentication and credential management, clarification of record ownership, identity provisioning and the fear that cloud data will be exported to less secure countries.
Some vendors, such as Cryptomathic LLC, have launched cloud-based encryption-management services Cryptomathic’s targets banks and government agencies that handle large amounts of data and secure software applications in their networks (
What do you think about this? Send us your feedback.
