Founded in 2009, the Cloud Security Alliance, with its 20,000 members, is often used as the main voice for cloud security in cloud computing. As Jerry Archer, a member of the Cloud Security alliance and Sallie Mae's chief security officer, explains, the organization does not want to be a standard organization, but instead seeks ways to promote best practices. These best practices will be agreed by users, it auditors, cloud and security solution providers.
One result is the Cloud Security alliance's GRC stack. This is a set of tools to help people assess and guide the cloud based on industry best practices, standards, and important compliance requirements. Like all other tools made by the Cloud Security Alliance, this GRC stack is provided free of charge to any member of the organization (however, corporate sponsors provide fees).
In an interview with the internet world, Archer explained how the Cloud Security Alliance works and how we can solve the security problems in the cloud, and explains how the cloud will improve our security.
Q: What does the Cloud security alliance do to us at a high level?
A: You can divide what we do into five big areas. 1. We are developing strategies, especially to surround you with how to get into the cloud and what you need to think about. 2. Education. Help educate people about cloud security issues. 3. We are building a best practice framework around auditing and compliance. We are transforming some of the typical SAS 70 controls and other auditing systems into a cloud-using framework. 4. We are examining the issue of assessment if the cloud is viewed from the perspective of security assessment. 5. We are looking at what the future looks like.
Q: How does the Cloud security alliance determine what projects to study?
A: The Cloud Security Alliance uses strict group outsourcing or cloud outsourcing. We currently have 20,000 members. Any member can put forward ideas. You can make an idea to this group. If your ideas are attractive, people will work with you and then you will get approval.
At the beginning, we did not have research funding. Now we have the money because we have sponsored businesses and there are people who invest in some jobs. However, it is important for us to ensure objectivity. As a result, the Commission has been constantly checking to ensure that no vendor is oversubscribed, which means too much money for research in a given field. We don't want to owe any company.
Q: You said that the cloud security alliance didn't want to make any hard standards like SAS 70 or PCI. Why, how would you rate your contribution to the cloud industry?
A: We believe that industry standards should be developed by ISO (International Standards Organization) and other organizations that are good at setting standards. We often work with existing standards organizations to provide advice and guidance. However, we believe that we would be more flexible if we were not bundled with any specific criteria. We have a formal alliance with ISO and the International Telecommunication Union (ITU). We provide them with research results and resources to help them with their work. We also work with NIST (American National Institute of Standards and Technology). We hope to establish a cooperative relationship with other standards organizations.
Q: Do you think that users are asking cloud providers to provide detailed information about their cloud security measures and the rights of cloud providers to keep these details secret in security considerations?
A: Providers may never want to tell anyone their firewall is set up and something like that. On the other hand, if delivered correctly, there is a lot of information that is useful from a compliance or security standpoint.
If we differentiate between facts and exaggerated propaganda, as consumers of cloud, I get enough information about where my applications are running today and how they work, and it doesn't affect your security at all. So, by providing me with the information I need, I will trust my environment.
In fact, from a consumer perspective, things can be simpler because applications become instrumented, and you can determine if these applications are in the right environment. DARPA has done a lot of research on the multi-tenant environment. They studied the control of the application and let the application report the security of its environment.
Q: Are instrumented applications working?
A: In a simple example, the application knows where it is going. The application knows what computer it will run on, what operating system it will actually use and create a fingerprint by asking these things, saying "I'm in the right environment, how the patch level is, etc."
It can be performance-based and says I know I'm going to do these things. It can test the legality of this Code. If the answer is not correct, then you know you have been cheated.
You can do all kinds of things to provide a great deal of knowledge about the environment in which the application is running. In the end, that's probably where you're going.
Q: How far can the Cloud security alliance predict the future of Yu Yun, and how do you look at this problem?
A: Most of our focus remains on the basics of building cloud computing. But thoughtful leaders can help to influence the tactical aspects of building this foundation, so this is transferable. So we don't have to separate this foundation and rebuild it every time we go into another cycle of the cloud.
From the perspective of the future, I think it's naïve for anyone to tell you that they can predict the state of the cloud after two years. Everything is changing. We cannot predict the outcome of all these changes. Cloud computing is different from mainframe transitions to distributed systems, and cloud computing will change everything about computing.
Q: My question is what happens when MIP costs are almost zero and storage costs are almost Nil.
A: Everyone will use the cloud, and security will continue to develop. For example, full-same encryption would allow me to process data without decrypting it. While I was able to do all of the same type of encryption, I was able to put all my data in the cloud and encrypt it completely. This method cancels the threat mode, right?
The problem is that it takes more processing power to run a full encryption algorithm than we currently have. But it only takes a short time for Moore's law to reach that level.
Q: So will cloud security be able to keep up with the changes in cloud computing?
A: Yes. Security in the cloud will improve. Companies like Sallie Mae, financial companies and other companies are required to get the same level of security or better security as they now have.
Such a request to the provider would be transformed into the same result for everyone. As a result, small businesses that cannot rely on their own purchases of adequate security will get the same good security products that large businesses that apply cloud services receive. We will have large providers that can effectively provide security. Security in the cloud will improve. We will have better safety in the future.