CSA Crafting Enterprise Cloud Security Framework

The Cloud Security Alliance (CSA) Wednesday launched an initiative that would aid enterprises in using cloud computing services to protect infrastructures.

A new working group called the Software Defined Perimeter (SDP) project represents a departure for the organization that was formed with the mission of improving cloud security. The SDP Working Group seeks to provide a standard way to use cloud services to protect their infrastructures in the age of bring-your-own-device (BYOD) and employees' own use of cloud services. 

"What we're proposing is actually very new in the sense that the cloud actually does become your perimeter versus thinking of the cloud to get low-cost CPU cycles," said Junaid Islam, co-chair of the SDP Working Group and president and CTO of Vidder, a provider of security solutions.

The committee is developing a framework that identifies devices, implements standard authentication, and creates one-time use of a VPN on an application server that ensures the user can see only data he or she is permitted to access, Islam explained.

"We want to take all of this and run it in a cloud service," Islam said. "What the CSA is doing, instead of everyone in the industry coming up with their own version of this, is creating a standard, public domain, free-to-use-without-restrictions-framework that pulls all these concepts together in a framework that is well thought-out and vetted by a team of experts."

The CSA is already collaborating with major cloud providers, Islam added, though he declined to name any.

Islam pointed to a large corporate customer with a well-known brand that is working with a "gigantic" cloud provider, both of which he would not name, that will represent the first deployment of SDP. The deployment will be announced at the RSA Conference in late February, presuming it doesn't leak out sooner.

Bob Flores, former CTO of the CIA and now CEO of Applicology, a consulting firm, is the other co-chair of the SDP Working Group. Flores will outline the new framework at the CSA Congress conference in Orlando next month. The committee will also publish a whitepaper outlining the framework.

The workgroup is also creating APIs that customers, systems integrators and developers can use to implement these security protocols. The group will release previews next quarter and hopes to have a working API by mid-year. One such API will use SAML to enable the use of device certificates, which Islam explained are rarely used today.

"What we're doing is pulling it together, saying, 'Here's a way to get a device cert. Now that you have it use it to create this mutual TLS connection, then use it to set up your credentials,'" Islam said.

To be sure, SDP is in its early stages. "It's important to understand, what starts rolling out in the first quarter of next year is not the be all, end all. This will build on itself as time rolls on and best practices are identified," Flores said.  "It may start off with something as simple as authenticating end users to a cloud, which today is not done universally. From there, we will go on to other issues related to security."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.