Cloud Security Alliance Annual EMEA Congress Discussions
It was as cloudy as Edinburgh could be in the autumn, when the “Cloud Security Alliance Annual EMEA Congress” featuring about 300 Cloud Computing stake-holders, gathered for the event that was held during the last week of September, produced By MISTI Europe.
The variety of organizations participating demonstrated the array of topics relevant to Cloud Computing adoption. Standards institutions – alongside government bodies, cloud providers and software vendors – demonstrated the challenges facing Cloud Computing. The considerable number of non-EU presenters further demonstrated the globalization process this technology is going through these days, as well as the EU’s role in its advancement.
The Congress's topics could generally be divided into three major categories: government access to data (inspired by PRISM); the cloud providers’ lack of transparency; and the technological challenges facing Cloud Computing adoption.
The congress began with an excellent keynote presentation from Mikko Hypponen, Chief Research Officer for F-Secure. Circling the stage, Mr. Hypponen listed the new cyber threats facing the world, and predicted that will see be attacks on every device equipped with processor in order to use CPU time for Bitcoins mining, and that malware will start maliciously locking our cloud services for ransom.
Regarding government access to data, the F-Secure CRO mentioned how surprised he was to learn how far the NSA is willing to go in order to weaken the standards we all rely upon, and speculated that direct access to providers was not a result of providers cooperation, but rather due to massive hacking attempts by the NSA. The example given was the recent finding published by “Der Spiegel” about the British Intelligence services' hacking the Belgian Telecom Company.
Another interesting lecture regarding governments' access to data was given by Jon Callas, co-founder of PGP and Silent Circle. This top cryptographer reviewed the different sources for surveillance: the various nations’ surveillance levels such as anti-terror, crime prospecting, and economic espionage. Non-national surveillance includes that done by criminals; corporate espionage; and companies such as Google which utilize business models to collect customer data. Callas described the efforts Silent Circle is making in order to help customers avoid different kinds of surveillance, and described the process’s two pathways: technological tools such as encryption and ammonization, and procedures and policies that will define how to safely and confidentially guard the users.
In a later panel regarding PRISM, Mr. Callas revealed the story behind the difficult decision to close Silent Circle’s secure e-mail services, immediately after they had learned that another secure e-mail provider, Lavabit, was served with a federal warrant to reveal data. Current e-mail protocol is just too difficult to secure due to email headers and metadata information saved for each e-mail, he explained.
Government access to data is not the only thing preventing the required trust in Cloud Computing. Cloud provider transparency, or lack of it, is also a major obstacle. Microsoft, Google, HP, Amazon and Adobe all presented and shared their recent efforts to provide transparency to their operation, as well as ways to increase trust. Adriana Hall from Microsoft presented the latest survey regarding Cloud Computing adoption, revealing that although most customers expressed concerns regarding the security and privacy of their data in the cloud, a majority of the companies said that security had actually improved by moving to the cloud. In her presentation, Ms. Hall exhibited the steps Microsoft is taking in order to increase trust – including complying with different regulations, and advertising their cloud products’ development and operations control to designated Trust centers.
Similar claims came from Adobe and Google, who were very keen to present the measures they are taking in order to protect data. David Lenoe, Director of Product Security at Adobe, described his goals as good architecture, solid code and security in operations. He elaborated on some of the steps Adobe is performing in order to achieve them: SDLC adoption and security training incorporating the martial arts style, with different colored belts given to each level of security awareness. Eran Feigenbaum, Director of Security for Google apps, said that the question is not whether the data is protected in the cloud, but whether it is protected outside of it. He presented a survey demonstrating that 60% of corporate data is located on unprotected laptops. “Cloud providers are built differently“, he explained, “their software is built for resilience, and homogeneous environments make security more robust“.
In the race for transparency and trust, standardization is a cornerstone. The amount of time dedicated in the Congress for reviewing the topics of cloud standards demonstrates how much progress has been made on this subject in the last year. During the Congress, the Cloud Security Alliance announced the launch of its new STAR certificate for cloud providers. The certification, based on ISO27001, was developed along with BSI, and is the first independent and technology-neutral certification aimed at providing more transparency to the industry.
Certification and standards are also regarded by governments as important in promoting Cloud Computing. According to Tjabbe Bos from the cloud unit of the EU commission, the EU Cloud Computing strategy’s aim is to produce 3.8 million additional jobs, and to add 950 Billion EURO to the GDP by 2020. The way to implement the strategy, Mr. Bos added, is through three key actions: building safe and fair contracts; establishing EU partnerships among all cloud stakeholders; and cutting through the chaos of conflicting standards and regulations. Later on, the ENISA head of secure infrastructure and services explained how ENISA is helping the EU to achieve its cloud strategy, by formalizing standards and certification, and establishing international and national corporations. “In the Japanese tsunami disaster, the only emergency services that were able to continue operating were the cloud-based ones“, Dr. Ouzounis revealed, “and therefore we treat it as critical infrastructure and our future digital life backbone“.
From the technological point of view, the challenges that occupied the crowd were similar to last year, and included new format and use cases for encryptions, challenges for authentication and identity management, API security, and mobile and big data.
The encryption solutions presented by companies such as Brainloop and Seclore were file level encryption (IRM) tools and services aiming at providing control, access list and audit throughout the document life cycle, and sharing. IRM and file level encryption technology has been around for some time, but failed to move forward at the enterprise level. Perhaps in the cloud era this technology will succeed, due to sharing and the flexible nature of cloud services. Other identity and authentication solutions were presented by PerfectCloud and Nok Nok labs, which presented the FIDO alliance solution for Internet authentication.
It was also agreed – in a panel about the future of Cloud Computing security trends – that API security will be a central component of the security architecture. “In a world of mobile and the Internet of things, everything is API based“, said Mark O'Neill, VP of Innovation at Axway, who demonstrated in his presentation the technology of the API gateway and how they can assist organizations in future API driven attacks.
An interesting and unique new technology was presented by SkyHigh security. According to Gartner, by 2015 35% of an organization’s IT spending will not be made by the IT department (called Shadow IT), mainly due to the ease of use and ease of purchase of Cloud Computing services. This information encapsulates a great threat to the status of the CIO. SkyHigh enables the IT department to track and analyze the different cloud services used by the organization – formally and informally – and understand the potential risk associated with those services. An example of the importance of discovering and managing such services was given by Michael Mattmiller from Microsoft, who shared a story about hospital personnel using a cloud knowledge sharing service to increase productivity among them. However, when the CIO found out and examined the data uploaded to the cloud and the provider service agreement, the hospital had to report a security breach to the authorities, and suffer the consequences.
In conclusion, when comparing the 2013 Congress to the previous one last year, the feeling is that cloud services have matured considerably, although there were some minor disruptions such as PRISM. While last year the debate revolved around the advantages and reasons to move to the cloud, this year the discussions were about when and how. A great contribution was made to this process by the governments and the different standardization institutes – which understood their role in the cloud adoption process; by the providers, who generally try to listen to customers and adopt more transparent offering; and by the Cloud Security Alliance, which exhibited a quick understanding of the different crossroads ahead and invested in the right tools for enabling safer cloud adoption.
By Moshe Ferber,