Industry acts to allay cloud security doubts

Eric Domage: There are no standards as yet so it is difficult to trust cloud-based security vendors

As the industry gears up to provide standards around cloud security following a rush of cloud-based solutions from security vendors, it is probable that more end users will look to benefit from the cost savings and scalability that internet-based computing offers.

Currently, McAfee, Symantec and Google, through its Postini offering, provide cloud or software-as-a-service (SaaS) security solutions, and Kaspersky and AVG are expected to follow suit, according to Eric Domage, programme manager for security products and services at research firm IDC.

Domage explained that security vendors adapt their existing offerings to make them available as SaaS, often by acquiring smaller managed security service providers.

“It is very easy for these vendors to move into this space by acquiring a managed security service. Cisco did this with Scansafe and Symantec bought MessageLabs, then they both pushed services into the cloud.”

In addition, Symantec adapted its Endpoint security product, which is now sold as licence-based software and SaaS. Security specialist McAfee has also announced its own offering, SaaS Web Protection.

However, Marc Olesen, McAfee’s senior vice president and general manager of content and cloud security, explains that these cloud solutions will supplement on-premises security solutions as hybrid deployments for some time to come.

“We have many customers who are protecting their headquarters with an on-premises solution as well as protecting their remote branch offices with cloud-based solutions. This is cost-effective for them,” he said.

“Email security is another common hybrid. With more than 90 per cent of incoming email being spam, end users are employing inbound filtering solutions in the cloud, thereby saving on network bandwidth and service costs. But they’re doing outbound email filtering on-premises.”

The on-premises element will tend to afford granular control of outbound inf ormation, which aims to prevent intellectual property and business-sensitive data leaving the network. Both this and the cloud solution are often controlled via a single manufacturing or reporting console.

Problems with cloud security
One problem for end users is that there is currently no certification or accreditation system designed for cloud-based security services, offering little comfort for potential users considering the move.

“There is no stamp of trust, it doesn’t exist. There are no standards as yet – this means it is difficult to trust a cloud-based security vendor,” warned IDC’s Domage.

Risk management service provider Pentura’s Steve Smith has observed that security providers are hoping that by collecting as many general security accreditations as possible, such as the ISO 27001 information security standard issued by the International Organisation for Standardisation, they might be able to give end users confidence in their solutions as a whole.

“A lot of organisations are going for ISO 27001 compliance, for example. They’re trying to collect as many badges as they can and are talking to firms such as VeriSign for accreditation. These cloud providers are having to go the extra mile by getting as many accreditations as they can, even though no accreditation has a cloud security name to it,” he said.

That could all change with the introduction of the Cloud Security Alliance (CSA), a non-profit organisation that will promote best practice for providing security assurance in the cloud. The CSA will provide accreditations to individuals and services as well as open standards that all cloud-based security solution providers can apply and will do so in stages throughout 2010.

The first step is to provide certification to individuals. The CSA will provide training for people wanting to become experts in cloud security. It will also provide security accreditation to solution providers, meaning security firms can be given cloud-based security accreditation. These two standards will be ready by late summer 2010.

Finally, the body will provide quality standards addressing the architecture of cloud security solutions. This will take a little longer – according to Smith, until the end of 2010, with the first certifications to be given at the beginning of 2011.

“We don’t know what form it will take, but it will provide open standards that all security companies can apply and everyone can follow the processes outlined in the standard,” he said.