Interviews

Guidance for cloud

by Mark Rowe

The Cloud Security Alliance (CSA), a US-based not-for-profit body which promotes the use of best practices for providing security assurance within cloud computing, and the Software Assurance Forum for Excellence in Code  (SAFECode), another non-profit body, released new guidance for the secure development of cloud applications. The paper, “Practices for Secure Development of Cloud Applications,” aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing.
 
SAFECode and CSA sought to determine whether more software security guidance was needed to address unique threats to cloud computing, and if so, to identify specific security practices. A joint technical working group analyzed existing secure software development practices and secure design considerations as outlined in the SAFECode publication “Fundamental Practices for Secure Software Development 2nd Edition ” in the context of CSA guidance , including “The Notorious Nine: Cloud Computing Top Threats in 2013.”
 
Howard A Schmidt, Executive Director of SAFECode, said: “Cloud computing has provided significant advantages to technology users of all kinds, and we have only just begun to explore the possibilities. Though the growth of cloud computing has created new security issues to address, the Cloud Security Alliance has provided the industry with a wealth of effective guidance to help mitigate many of these concerns. SAFECode’s collaboration with CSA fills an important need given the foundational role of secure software development in the effort to secure both cloud computing and the broader technology infrastructure.”
 
While the working group’s efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified other practices that should be adopted by those developing software for the cloud, given the threats faced in that domain. Covered are guidance in the areas of multi-tenancy, trusted compute pools, tokenisation of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.           
 
Said Tabet, Senior Technologist, EMC Corporation and one of the paper’s primary authors, said: “It is our hope that by bringing together practical experience in both cloud computing and software security, we are able to offer secure development guidance that is both highly actionable and effective at addressing the unique security considerations of cloud software developers. We encourage individual enterprises to tailor our recommendations to meet their needs and to use them as part of a larger software security process that should continue to evolve alongside advancements in cloud computing.”
 
To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA. The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as references for implementation guidance.
 
Practices for Secure Development of Cloud Applications  is available immediately for free download at www.safecode.org  and www.cloudsecurityalliance.org .
It was authored by Bryan Sullivan, Microsoft; Said Tabet, EMC; Edward Bonver, Symantec; Judith Furlong, EMC; Steve Orrin, Intel; and, Peleus Uhley, Adobe Systems, Inc.
 
The paper’s key authors were discussing the paper at the Cloud Security Alliance Congress in a panel.

Related News

  • Interviews

    First responders surveyed

    by Mark Rowe

    A recent survey of emergency services first responders, done on behalf of the Emergency Services Show (NEC, 25-26 September 2013) highlights the…

  • Interviews

    Cyber standards

    by Mark Rowe

    Public sector organisations in the UK are in the midst of changing cyber security regulations, writes Matt Cable, VP Solutions Architect and…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing