When it comes to hyperbole, the technology industry is at least as persistent as any other. Take Cloud Computing, the buzz term Du Jour. Is the industry hype here appropriate? Yes and no. Yes, cloud computing will play an increasing role in the future of IT but in the short-term it is more vision than reality. Case in point, ESG Research indicates that only 12% of mid-sized companies and large enterprises say that “increased use of cloud computing services” rates as one of their top IT priorities for the next 12 to 18 months. This is far from a tectonic shift and suggests more of a 3-5 year migration like we have seen in the past.

Regardless of when organizations make this plunge, cloud security will be one of the major stumbling blocks. If internal controls or compliance mandates don’t align with cloud computing, all of the speeds-and-feeds innovation in the world won’t matter.

The fact is that cloud security is another complex area that is being oversimplified and hyped by the vendor community. No single (or suite) of security products will provide cloud security, rather cloud security will depend upon a combination of contractual protection, shared governance and technology safeguards, transparency, and cyber supply chain assurance amongst other things.

Readers who are truly interested in a process-oriented approach to cloud security would be well served by reading a comprehensive paper from the Cloud Security Alliance titled Security Guidance for Critical Areas of Focus in Cloud Computing (available at the CSA web site, www.cloudsecurityalliance.org). After a brief cloud definition and taxonomy, the report is divided into two major sections:

1. Governing in the cloud with domains on governance and enterprise risk management, legal and electronic discovery, compliance and audit, information lifecycle management, and operability and interoperability.
2. Operating in the cloud with domains on traditional security and BC/DR, data center operations, incidence response, application security, encryption/key management, identity and access management, and virtualization.

While the CSA has wide participation, many IT professionals and security technology vendors I’ve spoken with were not aware of this document and like me, felt it was well worth the time to read.

I am a firm believer in the cloud computing model but I despise the cloud computing rhetoric from the industry. Cloud computing will be a marathon rather than a sprint and we are just starting the race. Without pragmatic guidelines like those presented by the Cloud Security Alliance, cloud computing will continue to live in television commercials and vendor collateral rather than enterprise IT.

Related posts:

1. What Types of Organizations are Investing in Cloud Computing?
2. RSA 2010: Cloud Security Announcements Already Dominate
3. Federal Government Remains Curious — but Skeptical — of Cloud Computing
4. Education Will Take A Leadership Role in Cloud Computing
5. Lieberman Cybersecurity Bill: Fatal Flaws and What the IT Industry Must Do

Tags: Cloud Computing, Cloud Security Alliance, CSA, Cyber Supply Chain Assurance Model, Cybersecurity