 "Red Hat Joins The Cloud Security Alliance")
Many companies and groups are working to address security challenges in various ways. The Cloud Security Alliance (CSA), founded in 2009, is one of the most important of such initiatives because it’s arguably the organisation taking the broadest view of the problem. It’s a not-for-profit organisation whose mission is to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure additional forms of computing.
Red Hat has been participating in the CSA community for nearly two years, and has been working to bring awareness and utilisation to the tools built by the CSA to provide security to physical, virtual and hybrid cloud environments. Now, as an official corporate member of CSA, Red Hat will continue to drive a focus around open standards and security to protect enterprise workloads in the cloud.
The CSA has a broad membership with over 130 corporate members. This includes IT vendors like Red Hat who sell to a wide range of industries. But it also includes companies, such as healthcare technology supplier McKesson, that specifically work in industries that are highly regulated and significantly affected by data privacy requirements. It includes professional services firms with an interest in security and compliance issues, such as Ernst & Young and PwC. It includes government agencies such as the Department of Defense and suppliers to those agencies such as Raytheon. And it includes large technology end users such as eBay. The CSA also has a whopping almost 40,000 individual members in its LinkedIn group.
One specific CSA initiative is its Cloud Security Alliance Cloud Controls Matrix (CCM). CCM is designed to provide fundamental security principles “to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.” The goal here is essentially to provide structure so that security can be evaluated in a systematic way. Specifically, in the CSA’s words, to provide:
“…organisations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasising business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardise security and operational risk management, and seeks to normalise security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.”
It’s important to be systematic in this way because security isn’t one thing. In fact, the CCM considers 98 distinct areas of control across 13 different domains; such as compliance, resiliency and information security. Each of these areas of control is then mapped to the area of IT architecture where it plays (e.g., networking, data or compute), its relevance to different cloud service delivery models (IaaS, PaaS and SaaS), and its relationship to a wide range of regulations. Even a quick scan of the detailed matrix gives a sense of the degree to which the CCM provides a very specific practical framework that organisations can use. (A 2009 study by the European Network and Information Security Agency (ENISA) provides a framework that’s in a somewhat similar vein.)
The CCM (or an alternative document called the Consensus Assessments Initiative Questionnaire) can be used by cloud users to structure their own evaluations of cloud providers. However, these documents are also inputs to another CSA initiative called the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that “documents the security controls provided by various cloud computing offerings.” Cloud providers can submit self-assessment reports that document their compliance to CSA-published best practices. The CSA’s goal is to make it easier and faster for cloud users to do their due diligence and generally move to an environment where security practices are more transparent and even used as a differentiator among different cloud providers.