CSA/BSI: A Partnership with it’s head in the Cloud?
The Cloud Security Alliance (CSA) recently revealed some serious and potentially very damaging statistics about data security in the wake of the NSA’s PRISM scandal. A survey of its members highlighted the full extent of cloud security concerns, with over 50% of non-US residents reporting they’re now less likely to use US-based cloud providers, prompting the CSA to leap to action by announcing a partnership with the British Standards Institute (BSI). This tie-up with the BSI heralds a more formal approach to ‘cloud transparency’ and will no doubt appease some – but will it actually change anything? This clearly shows that companies are taking cloud security seriously, but will it alter cloud customer perceptions?
There’s no doubting that the PRISM programme was a bolt out of the blue, catching many by surprise. But whether forming an alliance is enough to convince cloud customers that data is secure is another matter. Government agencies have been in the business of accessing data for many years – even before the widespread use of computers. Encrypted radio signals have been intercepted, and decrypted, since the Second World War (at least). State-sponsored cybercrime is not new – but it is on the rise, with almost unlimited resources. The volume of these attacks will only increase, and that’s without considering the plethora of other hacks which aren’t leaked in to the public domain. If data is available to PRISM, we must assume that that it’s available to other more nefarious organisations. Even in the case of a supposedly secure organisation such as the US National Security Agency, the security failed due to the actions of one (or possibly more) person. The realisation that even the biggest organisations are not safe surely means the introduction of a new partnership (despite its best intentions) will do little to reassure cloud customers given the magnitude of the threat.
Businesses need to assess the reality of whether they are likely to be targeted by such an attack. Once data is created it’s very difficult to remove, and realistically it cannot ever be destroyed. Take email for example: once it’s sent externally, even if it’s deleted, it’s virtually impossible to know where it exists. Because of this, organisations must think about the type of data published externally, who requires access to it and the lifecycle of that data. Similarly, if the reward of publishing data to the cloud does not outweigh the inherent risks, then that data should not be moved outside the organisation. Consideration must also be given to the encryption of data published to the cloud, and crucially ensuring that it’s only released to those who need to know.
Cloud services are not going away, and at the very least the relationship between the CSA and the BSI will make providers more transparent and help business make the decision about what to move to the cloud, and which providers are best suited to the business requirements. But the responsibility lies as much with the owner of the data as it does with the cloud provider, meaning businesses need to select a trusted provider. In return the provider needs to offer a level of security and service that the business needs, not what the provider deems necessary. It’s a two-way relationship and while the CSA/BSI partnership is likely to highlight this process, it is not realistic to expect it to convince customers that data is any safer in the cloud. That’s not to denigrate the move; it simply raises the question of whether any collaboration will allay cloud customers’ fears in the aftermath of such a gargantuan revelation.