Security guidance to aid agencies in cloud computing push

Recent security guidance could help inform government's cloud computing procurement process, but additional threats must be addressed, according to security experts.

The nonprofit Cloud Security Alliance last week released a list of the seven top threats to cloud computing, the practice of buying technology services over the Internet from a contractor or agency. Analysts have said the guidelines, which are based on risk assessments of primarily public computing environments, apply to both government and the private sector.

"All the issues listed in the report can be solved, mitigated, or to some degree, accepted," said CSA co-founder Nils Puhlmann, adding transparency and the availability of security services to monitor and address threats are important and necessary.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based cybersecurity research and education group, said CSA's analysis is good, but pointed out several holes.

For example, he questioned what happens to data when an organization goes out of business and whether law enforcement can access private information. Another important threat to security is poorly written code from cloud vendors, he said.

The document also doesn't address issues surrounding disclosure in the event of a security breach, said Rick Wesson, chief executive officer of network security firm Support Intelligence.

Analysts agreed the threats identified in the report are common across computing environments, and government is no longer unique in its vulnerabilities.

"[We] can no longer just classify things by agency or by entity," said Puhlmann. "It's a little too simple to say, 'Defense is classified, lock it away.' "

He said what has changed is government increasingly wants to use available cloud-based technology. The Defense Department's social media directive is an important step, indicating that government, as much as the private sector, is looking at which technologies make the most sense and have an acceptable level of risk.

Paller said CSA's guidelines can be part of a larger movement to wrap cloud security into government procurement documents. Four departments recently began work on acquisition specifications for cloud computing efforts, he said, which will compel vendors to sell the security solutions agencies require.

The threats' relevance ultimately depends on the specific way a security breach will affect users, said Puhlmann.

"To really make a proper risk assessment, [you] need to understand the impact, which is defined based on what it means to the data owners," he said. He noted that government users might find other threat areas to add to CSA's list.