I keep reading articles about how the lack of cloud security standards keeps companies away from cloud services. Isn’t this just an excuse? We have security standards for our own organizations… or we should. We also know what is and is not considered best practice. Further, we should by this time understand how trust works and the controls to implement, monitor, segregate, and secure various trust zones. Isn’t the cloud just another trust zone?
Securing the cloud requires the same diligence we use when securing our data centers. The difference lies in oversight requirements. How do we ensure the service provider is achieving the security outcomes we expect? There are cloud service providers that do get it, providing mechanisms for customer oversight, audits, etc. If the provider in your conference room trying to sell her proposal can’t provide the necessary security assurance methods, find someone else..
Don’t use lack of cloud standards to prevent the potential business benefit of hosted infrastructure or applications.
Tom Olzak on Security 