The Cloud Security Alliance published the second edition of its guidelines for secure cloud computing on Thursday, delivering a voluminous document that sets out an architectural framework and makes a host of recommendations around cloud security.
It also seeks to provide a firm definition on cloud computing, which has been the subject of much hype in recent years. According to the CSA, cloud computing environments feature on-demand, self-service consumption; allow broad access via networks; draw from a pool of shared computing resources; can be quickly scaled up or down depending on demand; and involve some type of metering to track usage.
Cloud computing has its benefits, such as economies of scale and standardization, but they in turn raise security challenges, the CSA said.
"To bring these efficiencies to bear, cloud providers have to provide services that are flexible enough to serve the largest customer base possible, maximizing their addressable market. Unfortunately, integrating security into these solutions is often perceived as making them more rigid," the document states.
"This rigidity often manifests in the inability to gain parity in security control deployment in cloud environments compared to traditional IT," it adds. "This stems mostly from the abstraction of infrastructure, and the lack of visibility and capability to integrate many familiar security controls -- especially at the network layer."
The CSA's report tackles cloud security on 13 different fronts, from governance issues like e-discovery, compliance and audits to operational concerns such as disaster recovery, application security and identity management. It updates an original edition released in April.
Also Thursday, Sun Microsystems announced a set of new open-source technologies that target some of the challenges highlighted in the CSA's report.
The new tools include:
-- OpenSolaris VPC Gateway, which lets users create a secure channel to a virtual private cloud on Amazon's EC2 (Elastic Compute Cloud) service, without special networking hardware.
-- Immutable Service Containers, for creating virtual machines with stronger security and monitoring functionality.
-- A series of Security Enhanced Virtual Machine Images (VMIs) for EC2. They include images for Sun's OpenSolaris operating system as well as software stacks, such as the open-source Drupal content management system.
-- A tool called Cloud Safety Box, which helps users manage the compression, encryption and division of information stored on cloud services. It includes support for Solaris, OpenSolaris, Linux and Mac OS X.