Home > Cloud Computing, Cloud Security, Cloud Security Alliance > Cloud Security Alliance: On “Vision, Call To Action, Inspiration & Community Involvement”

Cloud Security Alliance: On “Vision, Call To Action, Inspiration & Community Involvement”

My buddy George Hulme wrote a great piece on the efforts of the Cloud Security Alliance and the first draft of our “Security Guidance for Critical Areas of Focus in Cloud Computing.

I had one important point of departure from his assessment that I feel needs discussion wherein George said:

While there are a number of minor issues I’d question in this paper, these are all fixable challenges — and will be strengthened in time, I’m certain. It’s that, despite its comprehensiveness, what is not in this paper that disappointed.

There is no overarching vision in this paper. There is no call to action for the IT community: whether it be the builders, providers, or consumers of cloud services. There’s no inspiration to motivate broad community involvement. This is no small oversight.

Selling the importance of doing cloud computing right from the beginning is the most “critical area of focus” of all.

I wanted to clear up my disagreement with George on those few points he dinged us on, as I feel that we covered all of these things at both our kick-off session at RSA and while we certainly could have “sold” the idea more within the first release of the guidance, page 5 (the introduction) stated the following:

We are continuously bombarded with news of information technology’s next big thing, a disruptive trend in computing with far reaching implications.  Many of these trends are no more than a marketer’s dream – hype sells technology and it becomes difficult to separate real change from an incremental upgrade.  Cloud Computing is having its moment in the sun, as the concept of utilizing computing as an on-demand subscription creates operating and economic efficiencies. Some deride the cloud as nothing new and in many respects they are correct.  Henry Ford’s Model T was not a new invention, but the revolution that ensued cannot be denied.  We believe Cloud Computing to be a very important trend that in many ways is beginning to fulfill the early promise of the Internet and will create unanticipated change in business with its ubiquitous adoption.  Phase one of the Internet was connectivity, with Cloud Computing we are leveraging that connectivity to optimize the utility of computing.

While we do see Cloud Computing as being a major change coming to every business, as information security practitioners, we recognize that there are verities which must not change: good governance, managing risks and common sense.  Cloud Computing is an unstoppable force and we encourage security practitioners to lead and help accelerate its secure adoption aided by common sense, rather than standing on the sidelines and letting the business move forward without us.

Some evangelists of cloud computing encourage us to focus on the model as a black box, the seamless presentation of your information on demand.  Pay no attention to how it works: resources are dynamically allocated, loads are balanced in real time and data is archived automatically.   Our message to the security practitioner is that in these early days of cloud computing, you must look under the hood of your cloud providers and you must do so using the broadest precepts of your profession in order to properly assure that the service engagements meet and exceed the security requirements of your organization.

The Cloud Security Alliance is a grassroots effort to facilitate the mission to create and apply best practices to secure cloud computing.  Incorporated as a not-for-profit organization, our efforts will seek to provide a voice for security practitioners.  However, recognizing that a secure cloud is a shared responsibility, we will be inclusive of all organizations and points of view to fulfill this mission.

What follows is our initial report, outlining areas of concern and guidance for organizations adopting cloud computing.  The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.  Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings.   As with any initial foray, there will certainly be guidance that we could improve upon.  We will quite likely modify the number of domains and change the focus of some areas of concern.  We seek your help to improve this guidance to make version 2.0 of this document an even better asset to the security practitioner and cloud provider.

We will be kicking off numerous online activities and in-person regional events to share our findings and connect with experts to increase our knowledge base.  Here is how you can get involved:

• Visit our website to find out how you can help: www.cloudsecurityalliance.org
• Join our LinkedIn group to collaborate with us: www.linkedin.com/groups?gid=1864210

In my opinion, the introduction conveyed our vision, the call to action, and inspired community involvement.  I’m slightly biased, however.

It could certainly be improved, but I felt that while George did a great job with the rest of his article, he missed the point that we did address these important issues.

Our outreach is currently limited by people’s bandwidth, but as things settle down after RSA and InfoSec UK, you can expect to see much better organizational efforts and messaging around what we are doing and how you can get involved.

Did you come away from reading the paper without a sense of vision, call to action, inspiration or how to get involved?   Please do let me know.


  1. No comments yet.
  1. No trackbacks yet.