Novell has announced a Trusted Cloud Initiative (TCI) in conjunction with the Cloud Security Alliance (CSA), but can it really find a way to certify clouds as safe?
The Trusted Cloud Initiative is under the wing of the CSA, a vendor consortium that includes Google, IBM, Microsoft, Intel and many others. It does not include Amazon, the world's largest cloud computing provider. Amazon, howvever, did not rule out future participation.
"We will consider participation in this and other groups that are beneficial to our customers," said Amazon spokesperson Kay Kinton in an email. Kinton said that Amazon was focused on responding to its customers' security concerns first. Amazon obtained a SAS 70 Type II certification last fall, one of the baseline security practices suggested by the CSA.
"Security is our number one priority and we'll continue to acquire the certifications that provide added peace of mind for our customers, such as the SAS 70 II certification," she said.
The goals of the TCI
The TCI is headed by Liam Lynch, chief security strategist for eBay, and Nick Nikols, vice president of product management for Novell's identity and security business unit. Still is its infancy, the TCI aims to provide a cloud computing-specific certification that could eventually bring some clarity to what and how cloud providers operate and provide security.
"We want to make this industry-wide," said Dipto Chakravarty, vice president of worldwide engineering for Novell's identity and security business unit.
He said that the TCI wants to standardize the security basics for cloud computing around the CSA's existing guidelines for cloud security, published last year. He added that there's already a general agreement on some security principles.
"Basically, the model was built with a number of companies over this last year. That model is our starting point," said Chakravarty. The CSA's current guidelines are largely focused on helping potential users define cloud computing and identify risks they may not be familiar with.
The CSA's requests and requirements
The CSA recommends, for instance, that users request documentation on disaster recovery and security policies from the provider before starting out, along with being sure to do due diligence on whether or not using Amazon Web Services or the Rackspace Cloud would compromise regulatory compliance.
The CSA doesn't place the entire burden for security on the user, however. It does have some requirements for providers: "The cloud computing provider must assure the data owner that they provide full disclosure (aka 'transparency') regarding security practices and procedures as stated in their service-level agreements (SLAs)."
Chakravarty said the CSA model of SLAs and transparency to customers was accepted by some platform and infrastructure providers already, and it was a valid place to start a conversation around a seal of approval for cloud computing.
"We can use it to ramp up to the existing framework that our customers already have and not invent anything new," he said.
He added that one possibility would be to 'map' existing cloud resources to standards they could be compliant with, such as identifying a cloud as specifically ready for Sarbanes-Oxley, HIPAA or PCI.
That might free up providers to concentrate security efforts in areas where they knew they'd be able to see returns, and not in markets where customers simply wouldn't care about one certification or another, according to Chakravarty.
"We call that tying the [CSA security] model to the metal," he said.
Eventually, the idea would be to have a robust, automatic way for users to apply the CSA's security and compliance framework to picking out a cloud provider. Chakravarty said that you'd want security guarantees to be as simple as a check-mark on a list.
Chakravarty admitted it was a complex issue, simply because there are so many services out there called "cloud." He said he looked forward to hashing out the details and hearing feedback from both users and vendors on what would make a "Trusted Cloud" label meaningful.
Problems with security guidelines
Christofer Hoff, security researcher and director of cloud computing at Cisco, said the basic problem was that security information around cloud computing, especially infrastructure services, needed to be a constant flow of information from provider to user.
He said that a certification for security in cloud computing would have little value, unless it meant the provider was ensuring that consumers could see security data in action. Hoff heads a working group, CloudAudit.org, that is attempting to define an application programming interface (API) for cloud providers that would let consumers verify security information automatically.
He thinks that developing practical, demonstrable tools for cloud security users may be more important right now, but he's not opposed to the TCI on principle.
"It sounds like a good idea. I'd like to know more," he said. Cisco is a member of the CSA but not currently participating in the TCI project.
Carl Brooks is the Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.