News Stay informed about the latest enterprise technology news and product updates.

CSA Congress attendees speak up on cloud security

Users came to the first annual Cloud Security Alliance Congress in Florida this week to hear the state of cloud security. Some say they're ready, but many are still wary.

Weekly cloud computing update

The first annual Cloud Security Alliance (CSA) Congress appeared to be a big hit. The keynotes were full, and the sessions were lively. The general consensus was that the technical level was appropriate, and the event provided a good cross section of the CSA's efforts to date to pin down the elusive target of cloud security.

Quite honestly, I don't really think a lot of people really grasp what cloud is.


Christopher Ford, partner at law firm Morrison & Foerster LLP,

It had its fair share of risibility, of course. Even a toned-down congregation of security professionals can't expect to completely be free of sights like Symantec's chairman, John W. Thompson, bellowing "Don't fight Mother Nature!!!" as he stumped for companies to ignore the risks and buy more cloud services. And since the reaction of mankind to Mother Nature over the years has been to build more secure housing rather than stay out in the storm, a more nuanced metaphor could have been chosen. One attendee did note that, as a theater minor, he truly appreciated the performance.

One attendee said of the keynote by Microsoft's John Kearney: "Really good, really frank and informative … I don't think he's a lifer [at Microsoft], if you know what I mean." And Pamela Jones Harbour's level-headed warning to cloud providers about solving their security problems ended up being the most thought-provoking. It's a rarity to see the federal government leading so aggressively, whole-heartedly and effectively on a technological advance as they are on cloud computing security and data protection.

What attendees were looking for
Many attendees noted that they were there to take in the scenery.

"I'm here to see what the landscape looks like," said Christopher Ford, partner at the Washington, D.C. office of law firm Morrison & Foerster LLP. Ford specializes in service agreements and contract law for the enterprise, and he said his interest was on the rise because the new landscape of cloud computing was unsettled and unsure from a legal perspective.

Ford said the promise of cloud computing was a curse in equal parts, since the easy-on, instant service promised didn't take into account the questions of indemnity, responsibility and so on. The plain fact was that people were using it, though, including his customers, and he'd come to hear what the consensus was. Ford didn't find much that was definitive, but he's comforted that the issues around cloud security are being hammered out and addressed in a tangible fashion.

Ford also felt there's a long road to go, however. Despite the ease with which the term was used and at the show, cloud computing remained a mushy concept for the public. "Quite honestly, I don't really think a lot of people really grasp what cloud is," he said.

Cloud computing's malleable definition
That may be because it depends on where the consumer sits, however, because cloud can be one thing for a desk jockey and another for the system administrators. It's a mark of progress, however, that legal professionals like Ford now consider it a special area of expertise; a year ago, the term was common parlance to developers and IT infrastructure wonks only.

The CSA is a testament to that progress. It is an industry consortium composed of the likes of Microsoft, AT&T, IBM and Google on the vendor side and bodies like the Information Systems Audit and Control Association (ISACA) and the Distributed Management Task Force (DTMF).

So far, the CSA has produced the Security Guidance for Critical Areas of Focus in Cloud Computing, with its 13 domains of worry for the IT pro, and the CSA Certificate of Cloud Security Knowledge (CCSK), a test on basic knowledge in the area. It's also created Cloud Control Matrix, a spreadsheet for evaluating cloud providers security controls.

And if the reactions of its Congress attendees are anything to go by, cloud computing has reached another inflection point. Even the non-technical grasp the issues in nuanced detail; the technical, meanwhile, are well past suspicion and experimentation and into finding acceptable ways to use new cloud services.

The CSA Congress didn't break any major ground, but it amply demonstrated the state of the art in cloud security (unfinished but going strong) and the awareness and the expectations of the audience.

Carl Brooks is the Senior Technology Writer for Contact him at

Dig Deeper on Cloud security tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.