Assurance for Tomorrow’s Cloud

Cloud computing, and Big Data are natural bedfellows.  Add to that mix, Critical infrastructure, and consumers and all of a sudden the need for greater assurance only increases.  We will soon witness convergence of these technological advancements on a monumental scale, with previously disconnected systems now becoming connected.

This degree of convergence is also blurring the lines between the physical and logical world, previously IP enabled devices would allow you to access the Internet, or access email.  In the future however, and even to and to a lesser extent today we are using IP networks to control our televisions, music systems and so on.   Expect to see greater autonomy within the home (e.g. smart meters, consumer appliances), the car and at work.   At work these building management systems will include IP enabled Heating, Ventilation, and Air Conditioning (HVAC), security systems, lighting, fire monitoring, lifts, and so on.

This should of course change the assurance requirements.

A recent article in the New York Times suggested that “Providers of cloud services in Europe are having problems selling to some of their biggest potential customers: national governments”[i] .  The reason ultimately came down to assurance, in other words it was not clear to the end-customer how data would be protected.  This of course is not entirely true, there are many public sector customers using public cloud computing services, but the statement takes on an element of validity when we question the sensitivity of data being entrusted to third parties.

In the future however, the level of assurance sought will only increase.  The implications of data loss are significant, but when a security incident could affect the availability of critical infrastructure, such as the energy grid then a once per year checklist compliance assessment is simply not enough.  This raises the importance of continuous assessment, and in particular an assessment that is capable of monitoring the actions undertaken by a third party.    This raises the imperative for the success of programmes such as Cloud Audit that allows “cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology”.

Simply put, in order to support the Internet Of Things, and the explosion of IP enabled devices the need for greater assurance will increase.  The assurance models whilst entirely appropriate today need to evolve to support the cloud of tomorrow.

By Raj Samani

[email protected]_Samani

Raj is the EMEA Strategy Advisor for the Cloud Security Alliance, and EMEA CTO for McAfee.  He is the co-author of the upcoming Syngress book entitled Cyber Security for the Smart Grid ([email protected]), written with Eric Knapp (Twitter @edknapp) with technical edits by Joel Langill (@ScadaHacker).