Most of the information in this article is derived from a portion of an article from Information Week’s website in it’s alert/manage risk section. As more organizations move toward cost-efficient cloud computing, the concern for their data security increases…at least it should. Many bury their heads in the sand, but as you will understand from this article, there are many concerns and often times no one is certain where in the cloud their data is residing.

Head in the Clouds

If you think you have risk management in hand, chances are cloud computing will shake that confidence. Assurances about data segregation, privacy, and security, while nothing new, take on added dimensions in cloud services because you don’t know where your data is most of the time. Don’t think cloud computing will affect your organization? It will. Surveys conducted by Deloitte’s Security & Privacy Services show that many companies already have moved to some outsourced computing “because you can’t argue with the dollars,” says Deloitte partner Rena Mears. “Stop asking if cloud computing is going to happen. It’s already happening.”

Knowing data’s location is fundamental to securing it, and the location of data may have significant legal implications. It’s a problem that Chiquita Brands tackles head on when considering external service providers. “The first step for Chiquita,” says CIO Manjit Singh, “is to understand the regulatory requirements for every country we operate in. We then know the requirements we need to meet to protect our sensitive data internally. Then we have to ask ourselves and local authorities what an external provider needs to show to demonstrate they can protect our data as well as Chiquita.”

To do that, cloud and software-as-a-service providers have to agree to periodic security assessments by external auditors chosen by Singh’s team, and Chiquita must thoroughly understand the policy and procedures of the service provider, including who has access to the company’s data and equipment. For example, Singh points out that many providers have one policy governing their contractors and another for their own employees. In other cases, the provider may outsource part of its operations to yet another service provider. “You need to be aware of what’s going on in the facility and not just what relates directly to yourselves, which is a step a lot of companies miss,” he says.

The economics of cloud computing are so compelling that SaaS vendors are starting to host their applications in a cloud service. Two examples are point-of-sale software vendor PayGo and healthcare information manager MedCommons, both of which use Amazon.com’s Elastic Compute Cloud as an option to host their SaaS offerings. For providers like them, data may go through a chain of hands, all of which need to be known and evaluated.

Assessing the Cloud Threat

As the Chiquita example points out, assessing cloud security is difficult and ongoing. Providers are inclined to ask you to trust that they’re handling your data securely, without providing a mechanism to verify if that trust is warranted.

One instrument often suggested for verification is SAS-70 assessments. SAS-70 is a standard that dictates how audits of service providers should be done, but the assessments cover only the operations that the provider wants covered, and often the only document you get to see is the auditor’s statement of opinion, which provides an overview of the scope of the assessment and whether the organization does what it says it does. What you don’t see, and what consultant Pironti recommends that providers not reveal, is the detailed auditor’s report, which lays out what the assessor found, including the tests performed.

Deloitte’s Mears is of the opinion that generally accepted practices will be developed for cloud computing providers to communicate clearly what they’re doing to comply with requirements to secure and manage sensitive data. “Providers can’t let everyone do their own assessment,” she says. “It’s not sustainable for them.”

One group that’s generating some buzz is the Cloud Security Alliance, a group comprising industry and customer organizations. The group’s initial Security Guidelines document includes a set of questions to ask providers, and another set to ask about your own organization’s readiness to adapt to cloud services. Jim Reavis, co-founder of the alliance, expects version 2.0 to be ready by October, providing more specific guidance, exploring the threats to cloud services in more detail, and providing more precise definitions.

Reavis believes it eventually will be mandatory for cloud providers to pass a security certification. The challenge for CSA is to create certification requirements that don’t suffer from PCI’s snapshot-in-time problem and that are directly applicable to cloud environments. In addition to working with the Information Systems Audit and Control Association, CSA will likely work with the American Institute of Certified Public Accountants, the International Organization for Standardization, auditing and security groups, as well as enterprise IT, service providers, and other stakeholders to come up with meaningful assessment and certifications, Reavis says. CSA is gaining support with backing from big-name companies like Dell and eBay, as well as cloud providers.

Chiquita's Singh says certifications are a starting point, but “we and other Fortune 500 companies wouldn’t be satisfied with a certification. We’d still require the right to have our own auditors perform an assessment. SMBs might be satisfied with them, but global companies view certifications as a starting point, from which we exercise the extra diligence of our own assessment to our requirements.”