Study Looks to Pinpoint Security Issues Unique to Cloud Computing

    We’ve all heard the benefits of the cloud: increased efficiency, reduced capital expenditures and more business flexibility. And, yet, many organizations are still reluctant to jump on board. The reason cited? Many organizations don’t trust cloud security, plain and simple. But if you’re looking for specific reasons for the lack of trust, well, you won’t find them.

    The National Institute of Standards and Technology posed the same question in a recent study, “What Is Special About Cloud Security?,” which you can find here in our IT Downloads library. The researchers wanted to find out what specific cloud security issues stood out the most. They started by looking at cloud security controls documented within the Cloud Security Alliance (CSA) security control framework that was based on work done by the ENISA and NIST. There, they identified 98 cloud-specific security controls, but because they could be mapped to “existing implementation-independent security control frameworks,” the researchers could not claim that they were unique to cloud computing.

    Moving on, they then mapped the CSA cloud security control to multiple controls from the general-purpose control frameworks, including specific cloud characteristics such as cloud broker, resource pooling, infrastructure as a service and broad network access.

    So what was the conclusion? While the researchers acknowledged that more research needed to be done, they found that for the time being, the “issues do not appear to require completely new security controls but instead the creative application of existing security techniques.”

    Perhaps transparency is key to encouraging more organizations to adopt the cloud, as the CSA set out to do by conducting surveys of cloud service providers. Among other interesting tidbits, it found that more guidance was needed for data discovery best practices. The CSA has also created the Security Trust and Assurance Registry (STAR), a registry for cloud provider self-assessments, and plans to implement a larger, industry-specific certification framework in the next year or so.

    Latest Articles