When the Cloud Security Alliance (CSA) launched in 2008, the questions around cloud computing centered around whether cloud was secure enough to be trusted, how it could be managed securely and in such a way as to keep regulators happy. There was also plenty of talk about whether cloud would fully displace traditional enterprise data centers.
Today, we know that yes, the public cloud can be secured (reasonably so for many types of data) and that cloud won't completely displace on premise IT systems any time soon. However, the technologies that power the cloud are transforming those data centers into hybrid architectures that consist of traditional enterprise, private, and public cloud environments that will co-exist for years to come.
Jim Reavis, CSA co-founder and CEO, says that more enterprises are moving away from "very physically-oriented" architectures to more virtualized environments. "Recently, we are seeing a lot of our enterprise members become big container devotees, and they are looking at how do we think very virtually, and how do we excel at software-defined data centers," Reavis says.
"It's very much a platform battle, and while OpenStack is gaining some momentum, it's still relatively small, and I don't see the enterprises adopting OpenStack rapidly," Reavis says.
What does Reavis see enterprises adopting? Currently a little bit of everything: primarily Software-as-a-Service applications, as well as virtualized private clouds and public cloud. There are also platforms, such as Salesforce.com that are gaining traction. "In fact, it's too many platforms, I think, for developers to contend with," says Reavis. "It's why, I think, a lot of them are really interested in containers and technologies like that," he says.
When it comes to helping enterprises choose the most secure cloud services, in 2013, the CSA and the British Standards Institution created the Security Trust and Assurance Registry, or "STAR" certification program. The program aims to standardize how enterprises can vet the security of their existing cloud providers, or those that they are considering. Through the STAR certification program cloud providers are able to submit to a third-party assessment, and those that achieve the certification are listed in the CSA STAR Registry.
Yesterday at the RSA Conference 2015 in San Francisco, the CSA announced that the registry now has more than 100 entries, as cloud providers from across the globe that have sought to meet the security baseline established by the program.
The CSA also unveiled new guidance (.pdf) aimed at helping early adopters understand the security challenges surrounding the Internet of Things (IoT), and provide potential device security measures for enterprises implementing IoT. Recommended security controls detailed in the report include:
- Analyze privacy impacts to stakeholders and adopt a privacy-by-design approach to IoT development and deployment.
- Apply a Secure Systems Engineering approach to architecting and deploying a new IoT SoS.
- Implement layered security protections to defend IoT assets.
- Define life-cycle controls for IoT devices.
- Define and implement an authentication/authorization framework for the organization's IoT deployments.
- Define and implement a logging/audit framework for the organization's IoT ecosystem.
- Develop safeguards to assure the availability of IoT-based systems and data.
- Information sharing and support of a global approach to combating security threats by sharing threat information with security vendors, industry peers and Cloud Security Alliance.
"We think the IoT is an area that's not a future thing, it's a current thing because there's so much that's happening in the IoT today. Its adoption is broad and there are many types of embedded devices, whether they're critical infrastructure or personal devices we felt that there is a real need because all of the IoT devices are going to be all cloud-provisioned, cloud-managed and data stored in the cloud," Reavis says.