The Cloud Security Alliance has updated its Cloud Control Matrix (CCM), which is designed to help organisations vet the security credentials of cloud service providers.
The CCM provides recommendations of best practices for securing the cloud. It covers a wide variety of areas, from data center, hardware and application security, to business continuity and vulnerability assessment. The third version of the CCM, released last week, includes guidelines for five new categories: mobile security; supply chain management, transparency and accountability; interoperability and portability; and encryption and key management.
Mobile was a natural area to focus new security best practices on because it's becoming a popular use case for the cloud, says Sean Cordero, co-chair of the CCM Working Group that helped create the guidelines. The mobile best practices cover not only how cloud-based services are accessed via mobile devices, but also how software like mobile device management (MDM) tools are delivered through an SaaS offering.
One recommendation, for example, is to have a clearly-defined mobile use policy and to ensure that everyone within the organisation is familiar with it. While somewhat obvious, many customers lack a fundamental policy to control which services users can access from their mobile devices, Cordero says.
"This has really sprung up from the organic growth of BYOD (bring your own device)," says Cordero, who is also president of boutique cloud security consultancy Cloud Watchmen. "An executive wants to use an iPad, but then all of a sudden there are questions." A policy can dictate how the device is secured, what information it stores and what data on the device the business has access to. "Be clear about what the rules of the game are," Cordero says.
Another new category is for supply chain management, transparency and accountability. The CSA recommends that customers have a clear understanding of exactly how data is handled by their provider. In some cases the provider may be working with other third parties, which can present a security risk, Cordero explains.
For example in virtual desktop deployments customers may contract with a vendor, but on the back-end the VDI provider may use another third-party storage platform. Customers should know the entire supply chain of their data to ensure it is appropriately secured throughout the entire process. Another increasingly common scenario is in the platform as a service (PaaS) market, Cordero says. Often a PaaS which is an application development platform - runs on an underlying infrastructure as a service (IaaS). Customers should be aware of the service-level agreements (SLA) and security controls not just for their PaaS provider, but any foundational IaaS provider as well.
Following security best practices like those outlined by the CCM is one way for customers to protect themselves. The recent cautionary tale of cloud storage provider Nirvanix, which gave its customers short notice to move data from its cloud because it was folding, has reinforced the importance of having a business continuity and data exit plan.
The CSA which is a non-profit organisation focused on advancing the security of the cloud regularly updates the CCM to ensure it incorporates the latest industry-accepted security standards like ISO27001/2. Members like Cordero work with cloud users, advisers and service providers to identify the latest trends in the industry to ensure they're reflected in the CCM.
Customers can see the full list of CCM specifications by downloading the PDF version here (it requires users to register with the CSA). The CSA also has its STAR Registry, which is a version of the CCM in a questionnaire format that providers can fill out that is posted on the CSA website. A listing of responses given by providers is in the CSA's STAR Registry for consumers to compare various cloud providers.