Goal is recommended cloud security practices
An action group is to be drawn together by vendors and businesses that will develop a set of security policy guidelines and recommended practices for suppliers and users of on-demand cloud computing services.
The Cloud Security Alliance will be launched at the RSA Conference 2009 in San Francisco starting April 20.
Its aim is to draw up a mandate outlining necessary security requirements for cloud and to promote independent research into best practices for cloud computing security.
Companies as diverse as Qualys, eBay, PGP, ING and vScaler have been named as among the founding members.
The Alliance said it should not be seen as a standards body, but rather a group with shared interests that will pool their expertise and help drive a common baseline for understanding security for cloud computing.
It intends assessing the security requirements needed to resolve the business concerns that are building around cloud computing, such as issues of e-discovery, governance and enterprise risk controls, through to encryption and key management.
It said that cloud computing business models challenge the presumption that a company possesses, or even controls, all of the digital business information for which the law imposes duties to preserve and produce.
The ability to govern and measure enterprise risk within a company owned data centre is difficult enough, and extending this to cloud computing resources also could lead to many new unknowns in enterprise risk.
The Alliance said it will explore 12 other ‘domains of concern’ including information lifecycle management, general legal, identity and access management, storage, virtualisation, application security, portability and interoperability, data centre operations management, incident response, notification and remediation, ‘traditional’ security impact (business continuity, disaster recovery, physical security), and issues impacting the architectural framework of enterprise security.