That means they're ill-prepared to supply an audit trail to individual customers, who are probably running their workloads on a server with many fellow cloud users. Jim Reavis, co-founder of the Cloud Security Alliance, will speak to this and other concerns when he addresses the Connections Conference in Las Vegas April 17-21. Reavis is a keynoter for the Las Vegas event's cloud track. His talk will be on "Building the Trusted Cloud."
One problem in the multi-tenant cloud, where different businesses use the same server, is supplying a user with his own track of events in the server log. Techniques for isolating one customer's information from another's are still rudimentary. The concern is not only that a given user will not get his activity in the log, but that he might get someone else's as well by mistake. The job of isolating one user from another in one server log still needs more work, Reavis said in a recent interview.
"How do I as a cloud supplier provide a view of that logged information, scrubbed from the other customer's information?" he asked. The answer is not yet clear, leaving cloud users in an awkward position if they need to provide an audit trail from information in the hands of their cloud supplier. The problem will get sorted out, he predicted.
He thinks the dangers of security exposures in the cloud, while they exist, are overstated. As we gain maturity in cloud computing, "the cloud has so much power to make security better" for its customers, as opposed to undermining it, he said.
Reavis is the alliance's executive director as well as head of the Reavis Consulting Group in Ferndale, Wash. The alliance is made up of a mix of industry vendors and has been instrumental in establishing a common framework of terms and definitions in cloud security. It also issues periodic best practices documents. Its Governance, Risk Management and Compliance Stack, for example, is an IT manager's toolkit for assessing a cloud operation, whether public or private, against security best practices and compliance requirements.
Among the 77 corporate members of the alliance are: Lockheed Martin, IBM, Google, Microsoft, Rackspace, Dell, Intel, Cisco, Verizon Business, Oracle, CA Technologies, Rackspace, VMware, Terremark, and CSC.
Another keynoter for the cloud track at the show is Nils Puhlmann, chief security officer at Zynga, the San Francisco online game company and creator of Mafia Wars and Farmville. Puhlmann is also co-founder of the Cloud Security Alliance and serves as its chief information security officer. His talk will be on "Securing Innovation" and he will draw on his experience marshaling security practices at the world's largest online gaming company.
In an interview, Puhlmann pointed to a recent security brief issued by RSA, the security software maker now known as the RSA Security Division of EMC, as pointing to methods for establishing much stronger security practices in the enterprise data center and the cloud in the future.
In this view, virtualization is not a vulnerability, but one of the lines of defense in depth. A virtual machine can isolate a database or other target and its hypervisor can be closely monitored for any sign of intrusion. If such a sign is detected, the virtual machine can be easily shut off from other resources or even shut down, with a clean copy restarted.
The paper, called Mobilizing Intelligent Security Operations for Advanced Persistent Threats, (pdf) illustrates how security professionals, with great effort, can get the upper hand in the arms race between defenders versus attackers.
Puhlmann said a cloud environment can be made as secure as a data center and, when it comes to PCI transactions, "I don't see why they shouldn't become a commonplace" in the cloud. But the PCI standard will have to "adjust itself to the times" before that will be true, he said.
Puhlmann will try to relate security to the process of innovation that is underway, particularly in cloud computing, "which is moving ahead faster and faster. The cloud is a huge disrupter. It's up to us and others to make sure its security is discussed."
Cloud practices that move data between data centers around the world illustrate how archaic the laws governing data management and security have become, he pointed out. In some cases, data arising in Europe can't leave a nation's borders. Canadian healthcare data can't be stored on U.S. servers.
"We have completely conflicting rules of law enforcement," he said, and until Jan. 1, the PCI council hadn't acknowledged that a PCI compliant process could be established, even if part of it was running on a virtual machine.
"Virtualization is just an enabling technology. What's so different with the cloud is the consuming model," with consumers accessing the cloud from a wide variety of locations. The challenge of managing access is about to expand with the advent of many tablets, smart phones and other mobile devices tapping into the cloud.
Only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place so the initiator of an operation in the cloud is doing things correctly, he said. Another complexity is lines of responsibility, who's doing what. "Now there are people handling the system and data who are not employed by you. That changes the notion of who works for your company," he noted.
A cloud's APIs need to be secure and only do the things they are designed to do, not leave maneuvering room for interlopers. "It's crucial these interfaces are rock solid," he said.
There's been no publicized breach based on a malformed API but such an event is probably only a matter of time. From Puhlmann's perspective, the cloud isn't inherently insecure, but neither has it matured to the point where users are assured in all cases of its security.