Cloud Security Alliance formed to promote best practices

A group calling itself the Cloud Security Alliance announced its formation Tuesday, with eBay and ING as founding members.

The alliance, which plans to make its first big splash at the upcoming RSA Conference, was formed to promote security best practices in a cloud computing environment.

The on-demand cloud computing model is putting new demand on security, according to statements from Dave Cullinane, CISO at eBay. "The very nature of how businesses use information technology is being transformed by the on-demand cloud computing model," he said. "It is imperative that information security leaders are engaged at this early stage to help assure that the rapid adoption of cloud computing builds in information security best practices without impeding the business."

"Enterprises need pragmatic advice to qualify and engage with cloud providers in a way that is in alignment with organizational risk tolerances," says Alan Boehme, Cloud Security Alliance founding member and senior vice president of IT strategy and architecture at ING, a large global financial-service firm.

Chris Hoff, technical advisor to the Cloud Security Alliance, says the group, which includes a mix of  user companies and vendors (PGP, Qualys and zScaler are among those announced) wants to sort out issues coming up in the cloud computing environment today.

"These companies, large and small, are struggling to make cloud computing relevant to their business," Hoff says. "The cloud means many things to many people." The group will seek not to define standards but set a common baseline for understanding security for cloud computing.

The group will likely tackle recommendations about security for cloud computing, and according to the group's Web site, it will be examining "15 domains of concern."

These include areas such as governance and enterprise risk, information and life-cycle management, compliance and audit, eDiscovery, encryption and key management, application security, identity and access management and incident response.

In related news, a document called the Open Cloud Manifesto, signed by dozens of vendors in support of cloud computing interoperability, was released  Monday.

This document, issued by a group said to include IBM, Sun Microsystems, VMware and several others, tackles issues surrounding security, integration, interoperability, portability, governance/management and metering/monitoring in a cloud environment. But at least for the moment, it is mired in some controversy.

"The debacle stems from how the document was put together," Hoff explains. Some believe the document was too top-heavy with input from IBM and not open enough. Others criticize it as missing support from some of the major cloud computing heavyweights, such as Google.

Hoff says debate about it all is ongoing at the Cloud Computing Expo in New York City this week.