The Cloud Security Alliance wants to see more privacy in the cloud


The Cloud Alliance wants to raise the bar when protecting customer privacy in the cloud. That’s the message from its CEO Jim Reavis, The CSA will once again be hosting a free summit for attendees at the SecTor conference this year, addressing cloud security issues. The crossover between security and privacy will be high on the agenda.

Last September, the Alliance asked cloud providers how they rated their countries’ processes for obtaining information as part of criminal and terrorist investigations. 68% of them felt that their countries’ transparency was below average. 58% said they were below average in terms of accountability. Over half rated their countries’ efficiency at obtaining information as ‘poor’ or ‘fair’.

Data like this convinces Reavis that something needs to be done.

“When you’re operating on a global level, you have to look at this holistically, and not let one country’s laws dictate how you treat people in another country,” he said, pointing out how cloud service providers in the US are already challenging some requests for information from the Department of Justice and other areas of government.

A fine line

Cloud service providers walk a fine line when it comes to government relations. On the one hand, they need to be seen as patriotic and helping to protect national security. On the other, they have to protect customer privacy.

Canadian citizens are particularly concerned about this. In February, the Federal Privacy Commissioner released a survey, finding that eight in every ten respondents would decide whether to do business with a company or not based on its privacy practices. If a cloud service provider automatically makes all customer data transparently accessible to intelligence agencies working with law enforcement, that could concern business customers – especially if this places their own clients’ data at risk.

“We think that absolutely governments need to chase down the bad guys, and they need the tools and techniques to do that. But understand that for example it’s just not feasible to build back doors or front doors into cryptography systems any longer,” Reavis said.

“It’s going to be good in the long run for law enforcement and trying to catch the bad guys if we have better consensus-oriented ways in how we do that without putting every citizen in the world under suspicion as being a potential miscreant,” he continued.

More privacy

The Alliance is increasing its activity where security and privacy intersect. Even though it was started in the US and Reavis is an American, he still chose the EU as the jurisdiction from which to launch the organization’s privacy research.

“We have a very strong believe that best practices in cloud adoption need to be globally palatable,” he said. “We have based that privacy research out of Europe, because we feel that it’s a very extensive data privacy culture and legislation there.”

In early June, the Alliance released version 2 of its Privacy Level Agreement (PLA). This is a tool that lets customers identify a baseline set of legal requirements for personal data protection across the European Union. They can also evaluate cloud service providers against this baseline using the tool.

“PLA outlines for us the bill of rights and what we would like to see as a commitment from providers to protect the privacy of their consumers and their users, to ensure that they are well aligned with any specific country’s data privacy directives,” Reavis said.

In the future, the Alliance would like to see a privacy component to cloud service provider accreditation, which currently focuses on security through the organization’s STAR program. It is likely that this would be a voluntary accreditation for providers. If the feedback from PLA v2 is positive, then next year will be a likely timeframe for a privacy accreditation program for providers.

More interoperability

The organization is also drilling down into more technology-focused activities. Today, it announced a working group to define protocols and best practices for data security in the cloud. Working with CipherCloud, along with companies such as DeloitteIntel Security, and SAP, the initiative targets customers and third party service providers who regularly integrate with cloud services, and need an easier way to manage security operations when working with different cloud service providers.

An example of this group would be cloud access security brokers (CASBs). These are the companies that position themselves between customers and cloud service providers, adding an extra layer of security. They will typically encrypt data and manage the encryption keys on a customer’s behalf.

The Cloud Security Open API Working Group will develop guidelines for data security implementation. It will focus on areas including the use of encryption and tokenization in cloud environments, and will hopefully deliver standards that will make it easier for customers, CASBs and cloud service providers to integrate without having to invest in complicated custom projects. Making it easier to exchange and manage cryptography information could have a positive effect on both privacy and security.

This represents a significant expansion for the Alliance, which has hitherto focused on governance, rather than technically prescriptive standards. But now is the time to dig deeper, Reavis said.

“It’s part of the maturity process of cloud computing that you start with the governance levels,” he said. “As you see the different types of cloud solutions mature and you have market indicators of potential solutions, that is the right time to start building more prescriptive standards.”

The Alliance has ventured into technical projects before. It has conducted three hackathons around software-defined perimeters, a December 2013 initiative to help stop network attacks on application infrastructure. It is now beginning an open source version of that initiative. It also did some work on Cloud Audit, an XML-based specification for provider assertions. That was more of a technical tool to perform a governance task, though, Reavis said.

Just like the provider privacy assurance accreditation, the specification and reference framework from the Cloud Security API Open Working Group is likely to be released next year. It’s going to be a pivotal year for the Alliance.

Come and learn more at the Cloud Security Alliance Summit at SecTor, this October 19.