Enterprise Strategy Group | Getting to the bigger truth.TM

Worthwhile Cloud Computing Security Resources for CIOs

I recently participated in a Cloud Innovation Council CIO roundtable discussion focused on cloud computing in the insurance industry. As expected, the CIOs said that they were concerned about cloud computing security in areas like identity management, data security, and network security.

There was another issue, however, that came as a bit of a surprise to me. These IT executives said that cloud computing was so new that they really didn’t have a standard methodology to assess and audit cloud computing providers’ security. Yes, they had a general idea of what they wanted to know but were uncomfortable with informal evaluations and longed for some best practice guidelines.

This situation falls into the “I don’t know what I don’t know” category. Industry hype around cloud computing is off the charts, but when insurance industry CIOs really need some guidance, cloud computing noise makes it difficult to find help. For these and others in the same boat, I suggest they look into two different efforts focused on cloud computing security requirements and assessment processes.

The first is the great work being done by the Cloud Security Alliance (CSA). Now normally I am a bit skeptical of IT industry consortia, but the CSA really has looked thoroughly at cloud security and written several detailed documents around best practices. CSA has even looked beyond basic security and now offers several guidelines on cloud GRC as well.

In addition to the CSA, it is also worth looking into the cloud security work being done at the National Institute of Standards and Technology (NIST). While this has a federal government focus, NIST recently published its Federal Risk and Authorization Management Program (FedRAMP). According to the CIO.gov website, FedRAMP “has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products.” There are links to assessment guideline documents here.

With all of the money being spent on cloud computing marketing, you’d think there would be more focus on CSA and FedRAMP but this is not the case. As always, the IT industry loves to solve future, not current, problems. I hope that this blog calls attention to CSA and FedRAMP and provides some assistance to IT and security professionals in the process.

Related posts:

  1. FedRAMP Seeks to Unify Cloud Computing Security Standards Across the U.S. Government
  2. Cloud Security Alliance Presents Comprehensive Security — Not Industry Hype
  3. IBM’s Air Force Cloud: A worthwhile project
  4. Federal Government Remains Curious — but Skeptical — of Cloud Computing
  5. Education Will Take A Leadership Role in Cloud Computing

Tags: , Cloud Security Alliance, CSA, , FedRAMP, National Institute of Standards and Technology,

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

Add a comment

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site