CSA, an industry consortium of users and vendors, also highlighted vulnerabilities in the means given to cloud customers to access and manage the services they buy. These APIs are not necessarily secure and could offer attackers a chink through which they could infiltrate cloud networks and the corporate content entrusted to them. The answer: "Ensure strong authentication and access controls are implemented in concert with encrypted transmission," CSA said. CSA's report details 10 threats as well as fixes, but stands as a warning about embracing cloud services without carefully weighing the downsides.
While Coviello touted the ability to give auditors and compliance officials the data they need to assure businesses meet security regulations, the validity of such regulations was questioned by the top White House cybersecurity adviser during his keynote address. Cybersecurity coordinator Howard Schmidt told the conference that security compliance under the Federal Information Security Management Act is flawed. "You can be [Federal Information Security Management Act] compliant but still not be secure," he said. "We agree that work needs to be done on that."
He said the government is addressing it with recommendations from the federal budget watchdog agency, the Office of Management and the Budget, due out next month. Rather than meeting a set of regulations, agencies will have to meet performance metrics. "These new metrics begin to move us from a static compliance-based metrics program to a continuous monitoring capability," Schmidt said.
Meanwhile, U.S. Secretary of Homeland Security Janet Napolitano came to the conference as a recruiter, using her keynote address to acknowledge that government talent alone cannot address the threats the country faces. She announced that her department is seeking to fill top cybersecurity posts with candidates from outside government. "In fact, we may be trying to recruit some of you for your talent right now," she said. "We need it."
Napolitano also tried to interest conference attendees in a contest to create a national cybersecurity-awareness program for educating the general public in cyber threats they face and how they can contribute to help improve security. She said she wants the programs to include social networking and to be as effective as past government campaigns to reduce smoking and litter.
Government can't do the job itself because the vast majority of the U.S. cyber infrastructure is privately owned. "I ask you to redouble the efforts that you are making to increase security, to increase reliability and to increase the quality of the products that you have that enter the global supply chain," Napolitano said.