Today, CA Technologies (NASDAQ: CA) Chief Security Architect Tim Brown joined academic, government and technology leaders to offer testimony before the U.S. House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies House Committee on Homeland Security on the opportunities and security risks associated with cloud computing.
In his testimony, Brown addressed four key areas CA Technologies believes must be considered in evaluating the transition to cloud:
• The reality of new complexities introduced with cloud computing;
• Security considerations for the cloud;
• The critical role identity management and authentication plays in enabling cloud security; and
• The importance of global standards development and adoption to ensure interoperability and common implementation of cloud solutions
“CA Technologies believes that the responsibility for securing the cloud lies with both the providers and the consumers of cloud solutions. The cloud is neither inherently more nor less secure than other IT services and solutions," Brown testified. "Generalized concerns over cloud security on the one hand, and arguments that the security risks in the cloud are overblown on the other hand, have muddied the waters to the point that policymakers and practitioners are experiencing security schizophrenia. Should I overlook legitimate security concerns and plunge headfirst into the cloud, or should fear and uncertainty of these risks stop me from doing anything that even remotely resembles cloud computing? Like most responsible decisions, the answer lies somewhere in the middle of these two extremes.”
Brown also stated that “One of the greatest challenges facing the IT sector today is fostering online trust, including the important trust components of security and privacy. The fact is that most online threats and successful data breaches of late have been based on and exploit access control and identity management failures in systems. The Government Accountability Office has written to Congress about unauthorized access issues as recently as Monday of this week (October 3, 2011). Identity management and access management controls are central to the secure adoption of cloud services. Identity and access management practices within the cloud provide the foundation for effective security by ensuring that all users have only the appropriate level of access rights to protected resources, and that those rights are effectively enforced. IT organizations generally as well as cloud service providers, both public and private, struggle to keep up with the explosion in the number of users from multiple systems, applications and user communities that are consuming their services and the complexity of managing access rights for these users.”
CA Technologies provided the following recommendations to Congress to accelerate the deployment of secure cloud solutions:
• Adopt policies that can accommodate future development and flexibility in the cloud market, specifically, and in IT more generally. Too often, Federal policy has imposed static frameworks that must constantly be updated based on new technology developments. CA Technology recommends that Congress focus on outcomes and not on specific technologies;
• Avoid policies that create a fragmented, country specific market for cloud services in the United States. As the cloud market continues to evolve, there is great risk for market segmentation based on unique policies designed solely to address US market demands. Policies that acknowledge the global nature of cloud markets will enable the US to maintain its leadership position in cloud computing and encourage innovation to support jobs and exports of US developed technologies;
• Support standards developed by recognized national and international standards development organizations in the areas of cloud security, interoperability, and transparency. These standards are vital to the management of cloud security risks;
• Fund and support the continued development and rollout of FedRAMP and the NSTIC;
• Continue support for NIST and its unique role in addressing emerging security issues; and
• Encourage the federal government to leverage emerging efforts to develop service measurement indexes like the Cloud Service Measurement Initiative Consortium in government cloud procurements. These efforts can provide federal agencies facing budget, performance, and transparency demands with tools that take data-driven approaches to evaluating competing offers of cloud technologies.