There is no security standard for cloud; move forward anyway

Real standards won't be established until it's too late

Microsoft sees cloud computing as so central a part of the future of the IT industry and to its own fortunes it is, once again, pushing a set of behavioral and technical specifications designed to set standards for security in the cloud.

The intent is first to secure the data and applications of customers and second to create a broad-based trust in cloud computing as a category to encourage customers to begin moving their IT resources there in greater numbers, according to the Microsoft exec responsible for pushing its Cloud security initiative.

"It's really as big a shift for IT as the shift from mainframes to computers," according to Adrienne Hall, general manager of Microsoft's Trustworthy Computing group, said in an interview.

Trust is a key element both in convincing executives to approve the move and for IT people making the deals with cloud-services companies, she said.

Microsoft's plan is a set of processes called the Security Development Lifecycle (SDL), which is designed to create documented, auditable, traceable processes to help service providers or end-user companies to develop secure software for any environment.

In the cloud, SKL provides the transparency customers need to be able to trust that the service providers they hire use systems, custom code, networking protocols and virtual infrastructures that meet a customer's security requirements, and processes to let customers make sure those requirements continue to be met.

Secure code is only one small part of what makes customers feel secure in cloud deals, however, according to most surveys, which site vendor lock-in, shared-server hosting arrangements, clear SLA definitions that lay out what the security responsibilities of both customer and vendor really are, and the availability of the skilled programmers, sysadmins and NOC staffers they need to build, maintain and manage complex cloud environments.

Forrester's James Staten lays out most of those issues in relation to the restrictions of PAAS vs IAAS clouds, SAAS apps and infrastructure issues.

In his predictions for the cloud in 2011, Staten makes clear that there are a lot of competitors for the "cloud computing security standard," and that none are either comprehensive enough to be a slam dunk or have attracted enough followers to be a likely one-takes-all winner.

It's great that Microsoft is offering solid, documentable processes. It's great that DMTF, NIST, and the Cloud Security Alliance, are as well.

We're going to need all of them because end-user companies are adopting cloud according to their own needs, fears and budgets, not according to a timeline or set of expectations laid out by service providers.

That means they're going to need more than just one or two options to find a set of processes that work well for it.

It also means there won't be one set of security standards for "cloud" for at least a couple of years, if ever, partly because "the cloud" is so broad a concept it may not be possible to apply one set of standards to everything that could be made part of it.

What standards there are or will be will grow out of use and experience of hosted private clouds and hybrid clouds. Most of those projects are only starting now, so we're missing data on which to base standards, as well as the standards themselves.

Cloud standards won't be here when you start your project, Staten writes, get over it. That doesn't mean he's unsympathetic, or that you're too worried. It just means if you want the advantages of cloud you have to make the leap before all the questions have been answered.

Just consider it part of the risk management part of the development process.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon