Industry alliance attempts to establish best practices around cloud security

July 27, 2012

Cloud consumers are increasing, but answers to frequently asked questions over data security in cloud computing are still up in the air, an organization of global adopters believes.

The Open Data Center Alliance (ODCA), an organization of over 300 corporate members, has been focusing on providing definitive answers to the concerns over cloud security and to put in place concrete standards for companies to adopt if they decide to implement the cloud as part of their business practices.

According to the Sydney Morning Herald, the ODCA has drafted a security assurance model that is currently under revision by some of its members, which include BMW and the National Australia Bank. The model seeks to address the subjects of who has access to any data stored within the cloud and how "robust" the security measures should be.

"The biggest problem with the cloud is that you cannot get a consistent definition of what is secure," Matt Lowth, National Australia Bank's principal security architect, said at a recent seminar in New York. "And if I can't get the same answer from three different vendors, how do I know what secure is? Security depends on what you are after. For an advertising site or a marketing site, cloud is perfectly secure. It does the job. On the flip side, if you are a military type of business it is probably not secure enough. There's lots of stuff out there that if you had it compromised, people's lives are at risk. I guess, 'it depends' is the answer to whether the cloud is secure."

The model could have the answer
Lowth believes that the ODCA Cloud Provider Assurance Model proposed in 2011 will eventually be able to give a more definitive answer. The model consists of four separate usage levels that would be tailored to the demands, type and size of the industry, with the highest levels of usage allocated to financial institutions, which require a high level of data security in the cloud, and military organizations.

Smaller enterprises and global corporations not involved in finance or banking could implement lower levels of data security but with cloud computing still very much in the early stages of adoption, there is an inevitable comparison to more established data storage technology.

"It is like comparing apples and oranges," said Ian Lamont, and IT security specialist with BMW. "You can't say one is better than the other. What is key is that, as a consumer of the cloud, you absolutely have to know what is secure."

-McAfee Cloud Security