Security Standards in the Cloud

Is there a correlation between the decision of adopting cloud technologies and the confidence on the security assurance on the cloud ?

Cloud computing is still a young technology. By consuming cloud services is important to recognize the dangers and potential risks facing us, as with any new or existing IT investment. The security concerns, questions about the maturity of the supplier in an industry in its infancy, reliability, and regulatory issues are topics that are of the concern of those professional making decisions regarding the adoption of this new technology. What studies have been performed to quantitatively define the relationship the adoption of cloud technologies and the levels of confidence on systems security?

“ Confidence in cloud computing providers will increase as security standards are created and adopted.” To properly evaluate existing literature against this hypothesis, the following definitions must be established:

• Confidence: a feeling of assurance or trust in a person or thing.
• Cloud providers: Brad Smith define this as “A service provider that offers customers storage or software services available via a private (private cloud) or public network (cloud). Usually, it means the storage and software is available for access via the Internet.” (Smith, 2010).
• Security Standards: According to John Daintith and the Dictionary of Computing this can be defined as “A set of security features to be provided by a system before it can be deemed to be suitable for use in a particular security processing mode, or in accordance with a generalized security policy.” (Daintith, 2004).

In 2009, the Information Systems Audit and Control Association performed survey over 1,500 professionals across 50 countries, in order to measure the relative immaturity of cloud computing usage and the uncertainty of the balance between risk and reward. This survey revealed that: 

• 9.4% of respondents plan to use cloud computing for mission-critical IT services. 
• 8.8 % will only use the cloud for low-risk, non-mission-critical IT services. 
• 35.6% do not plan to use the cloud for any IT services. 
• 28.2% were not aware of any plans for cloud computing. 
• 12.1% would take large risks to maximize business return. 
• 61% of reported that they believe the biggest risk to their organizations is failing to protect confidential data. 

A similar study was appointed by Art Coviello, Executive Vice President of EMC Corporation. During a key note message during the RSA Conference 2010, he cited a recent survey conducted by CIO magazine that stated 51% of IT chiefs in the USA, were unwilling to adopt cloud computing because of security issues. 

The industry needs to deliver solutions that ensure levels of protection in the cloud would surpass what physical environments are providing today. “Security needs to be embedded in the virtual layer and practitioners need to shift from safeguarding the enterprise architecture to adopting a posture of information-centric protection.” (Coviello, 2010). 

Another survey conducted by IEEE/CSA in 2010, revealed that IT professionals are concerned and recognize the importance and urgency of cloud computing security standards. 

• 44% responded that are already involved in cloud computing projects. 
• 93% considered the need for cloud computing security standards as important. 
• 82% percent said the need is urgent. Data privacy, security and encryption comprise the most urgent area of need for standards development. 

“It’s clear from this survey’s findings that enterprises across sectors are eager to adopt cloud computing, but that security standards are needed both to accelerate cloud adoption on a wide scale and to respond to regulatory drivers” (Reavis, 2010).

The presented literature supports the hypothesis that confidence in cloud computing providers will increase as security standards are created and adopted. As these studies shows in a variety of ways, the absence of a security compliance environment is having impact on cloud computing adoption. The CIOs of the largest financial and network security companies require that cloud computing platforms meet the highest standards of service. After all, they’re entrusting them with critical corporate data. Numerous studies provide quantitative results that clearly illustrate the importance security assurance for cloud technologies. No studies were found that support a contrary argument.

Sources

Reavies, J. 2010. Enterprises eager to adopt cloud computing, but regulatory requirements demand security standards compliance. In Survey By IEEE And Cloud Security Alliance Details Importance And Urgency Of Cloud Computing Security Standards. (San Francisco, California, United States, March 1, 2010). IEEE Press Release. IEEE Computer Society Press, Los Alamitos, CA, 29-30.

Smith, B. 2010. Building Confidence in the Cloud. In A Proposal for Industry and Government

Action for Europe to Reap the Benefits of Cloud Computing. (Brussels, Belgium, January 4, 2010). International Conference on EU Digital Market. Microsoft Press. Seattle, WA, 11-20.

Coviello, A.  2010. Securing the Path to Virtualization and the Private Cloud from the Desktop to the Datacenter. In Proceedings of RSA 2010 Security Decoded Conference  (San Francisco, California, United States, March 1, 2010). International Conference on Computer Security. EMC-RSA, Inc. Boston,  MA, 34-35.

Daintith, J. (2004, January 1). Online Dictionary of Computing.  Retrieved on May 6, 2010, from

Webopedia.com website: http://www.webopedia.com/TERM/s/security.html.