CSA Calls for Unified Cloud Security Standard — Can It Work?
The Cloud Security Alliance (CSA), a nonprofit cloud advocacy group, has just debuted its software-defined perimeter (SDP) initiative, which aims to provide cloud-based applications with end-to-end protection by creating a unified, standardized security service. This is a worthy cause. But can the CSA's effort really help lock down the cloud?
Stop, Collaborate and Listen
According to a November 13 article at Business Cloud News, the goal of SDP is to develop a security framework that "mitigates network-based attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorized." To make the concept a reality, the CSA is relying on collaboration between members of its Enterprise Resource Council and several large security vendors. Fundamentally, the SDP initiative revolves around the idea of using the cloud as a way to protect cloud-based apps instead of allowing it to be leveraged as an attack vector. In what seems like counterintuitive IT practice, midsize companies would point data center routers toward the cloud, where all incoming network requests would be funneled through a native authentication and management application.
Junaid Islam, CTO of security firm Vidder and an SDP coordinator, says the problem is not that cloud computing attacks are impossible to foil, but that there is no standardized response methodology; companies are left to create their own ad hoc solutions instead of referencing common architecture. "It's not that we don't know how to mitigate these attacks," he says; "it's just really hard. If you think about everything that enterprises have to do in terms of cryptography, identity systems, verifying device adaptation, geolocation — it's hard even for big companies with lots of IT staff." For a midsize company with only a handful of IT professionals, it can be almost impossible.
It is instructive to consider the U.S. Army: Although the organization has a massive budget and a host of IT administrators at its disposal, the battlefield intelligence processor that it uses on the ground in Afghanistan has no access to the cloud. As discussed in a recent Washington Times article, the $28-billion processor, known as the Distributed Common Ground System, or "D-Sigs," has no cloud capability and won't until the system is in its third iteration, or "release 3"; currently, the system is on release one. According to Major General Harold Greene, although moving to the cloud is a priority, moving slowly is "exactly the right thing to do" due to the complexity of the move "from a number of single intelligence stovepipe systems into an enterprise solution."
Part of the problem, of course, is cloud security. While greater processing power and the ability to move noncritical tasks off local servers means better intelligence in shorter time, any data in the cloud is exposed to potential attack. Furthermore, as noted above, without any real standardization of security practices in the cloud, the Army is left creating its own IT defense systems rather than utilizing a set of best practices as a starting point. Can it be done? Absolutely, but it means more money, more work and more time — time that troops on the ground can ill afford.
So is SDP the answer? Midsize IT professionals will have to wait and see whether the CSA initiative ends up being more than a pipe dream, but it is a step in the right direction. Cloud security remains a top priority for C-suite executives and admins alike, in large part because the cloud is considered inherently insecure. Turning that notion on end — and using the cloud as a formidable authentication device — offers real potential. If it can be effectively combined with industry-wide standards, the result should be a cloud better suited to mission-critical apps from midsize to military.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.