The Case for Cloud Security StandardsPohlman of Cloud Security Alliance on Developing Global Directives
"And they need to do it in a harmonized, cross-border, compatible fashion," he adds - which is why he's encouraged by the latest news of the Cloud Security Alliance partnering with the International Organization for Standardization/International Electrotechnical Commission to develop new, global security and privacy standards for cloud computing.
In essence, he says, organizations are coming together globally to answer this fundamental question: "What is the baseline security standard we have to have to trust third parties to govern our data?"
Pohlman compares the cloud security evolution with the development of railroad standards in Europe in the 19th century. "Countries realized eventually that having a joint infrastructure was in everybody's best interests."
This same realization is striking nations and businesses now re: cloud computing.
In an exclusive interview about emerging cloud security standards, Pohlman discusses:
- What the CSA/ISO partnership means for cloud computing globally;
- Cloud's greatest opportunities and challenges today;
- Advice to organizations that are sitting on the fence because of cloud security concerns.
Pohlman, in addition to his role with the Cloud Security Alliance, is Chief Governance Officer at EMC. In this role he coordinates the activities of standards based IT governance with EMC, its Security Division RSA and its holdings in VMWare and Acadia.
Within the Cloud Security Alliance he is CSA's Global Strategy Director and Co-Chairs Cloud Controls Matrix, Consensus Assessment and Cloud Audit for the CSA, in these roles he coordinates the activity of technical work groups within the alliance and acting as liaison with external cloud standards bodies.
Pohlman holds a Ph.D. in Computer Science, an MBA in technology management, and bachelors in Engineering Physics. Dr. Pohlman is a licensed engineer and holds the CSA CCSK certification the ISC2 CISSP certification as well as the ISACA CISM, CISA, CGEIT, CRISC certifications. He is also a trained paralegal and law student at Lewis and Clark.
TOM FIELD: Marlin, you're also Chief Governance Officer with EMC. Maybe you can tell us a bit about yourself, as well as your role, specifically, with the Cloud Security Alliance.
MARLIN POHLMAN: We at EMC make products that support the cloud infrastructure. We are very active in the cloud security space with the RSA Cloud Trust Authority and those components. My role, actually, at EMC is working in groups such as the Cloud Security Alliance and getting standards and best practices so that we can actually create a stable marketplace. And so, as part of that, the Cloud Security Alliance is instrumental in establishing cloud as a stable, solid, go-to-market platform for EMC's customer base. And so, from that frame, I work with individuals globally and across multiple companies to come up with security standards so that we actually have a stable place to do business in the cloud.
Partnership with ISOFIELD: Marlin, you used a key phrase there, cloud security standards, and I know you've announced a new partnership with the ISO group. What can you tell us about that?
POHLMAN: Well, last month, in Singapore, the Cloud Security Alliance was the third organization to receive a category C liaison status with ISO SC 27/JTC 1. Now, what this means, for those of you who aren't ISO aficionados, is a joint technical committee. So ISO and the Electrotechnical Union formed a joint committee to come up with IT standards globally. So anything that covers IT security out of JTC 1/SC 27, and the CSA was in attendance in Singapore and was fast tracked to cat C liaison status, along with the other two cat C liaison members, which are ISF out of the UK and ISACA, which those of you who are in the IT governance space know established the COBIT standard.
FIELD: Marlin, what's the significance of this partnership?
POHLMAN: Well, the significance of this partnership is it's incredible for those individuals looking at the cloud as a stable, solid platform to do business. It represents the maturing of an idea, the concept of a supply chain IT of shared infrastructure and services, moving from the dream stage into something that individuals can actually bank on and invest in and do real work.
And with ISO coming, supporting this cause, there's a global groundswell for the recognition that the old way of doing business wasn't cost effective, and the need for moving from the siloed company-specific IT infrastructure to a more commercial model, in the same way aviation went from individuals flying private planes back and forth between cities to the American Airlines and United and Delta commercial airlines. You're seeing that in IT. And so it is a massive change in how we are going to do business in the future.
So this is a unique movement in the sense that all three organizations have taken a unified step to recognizing that IT is moving from a decentralized siloed approach to a centralized commodity.
The Meaning of Global StandardsFIELD: Taking a step back, Marlin, what do you see as the ramifications of cloud security standards for cloud computing globally across the sectors?
POHLMAN: On a global basis, countries are recognizing that they need a unified approach for managing IT infrastructure services, and they need to do it in a harmonized, cross-border, compatible fashion. And so, in essence, what's happening is that representatives of the major governments globally are coming together and deciding what is the baseline security standards we have to have to trust third parties to govern our data.
And it's more to the way the railway systems were formed in the 1800s. Countries came together. Initially, countries had their own railway standards across Europe, and what happened eventually is countries realized that having a joint infrastructure was in everyone's best interests. And having a joint infrastructure helped facilitate global supply chain, and so the days of having to change the locomotive rails from one national border to another when a freight car would cross a national boundary, essentially that's dissolving for data. There will be one global standard for data governing in the cloud. It'll cover everyone within the supply chain, and roles and responsibilities will be very well defined, and I think that is a large move; that is a big move, globally. It has a lot of impact for how we perceive data as a type of property in the future.
Cloud's PromiseFIELD: As you know, Marlin, cloud computing has become ubiquitous over the past couple of years. Where do you see cloud's greatest opportunities today, building upon this news?
POHLMAN: Well, the concept that data is mobile, and the idea that whether countries like it or not, they've acknowledged and they've started toï¿½they've realized that in an era of mobile devices, not just laptops but mobile phones, iPads, with PDAs, data is not something you can contain to a specific geography or jurisdiction. And so the greatest opportunity really is nation states embracing the fact that they can become, through proper legislation and through proper adherence to international guidelines, they can become international havens for data.
Canada is a perfect example of this, where they've actually adhered to the European Union data protection directives voluntarily. In doing so, they have established themselves as a North American data hub by adhering to both privacy and globally accepted protection principles. Other countries have that ability as well, and the resolution of the national interest of safety and security versus the global interest of data protection and jurisdictional sovereignty over data based on its jurisdiction of origin, through a jurisdiction of transport, is an incredible opportunity.
I mean, North America will be a fast mover, but in Southeast Asia I've seen a lot of movement from Singapore. I'm seeing a lot of movement from the UK. Countries that are proactive in this space and are very active in the standards creation will establish themselves to be the next data Switzerland, if you will. In what Switzerland is to financial services, or has been historically, you'll see countries moving to assume those preeminent positions by enacting their own data protective directives that mirror the global standards.
Cloud ChallengesFIELD: The flip side of this is talking about challenges. When we talk with organizations, they typically will generalize and say that cloud security, privacy are challenges. What specifically are they talking about?
POHLMAN: The greatest challenge is convincing organizations that they can let go of the control points that they traditionally had within their environment and, to use the airline analogy, let someone else do the flying. I have a private pilot's license, but I'm much more confident when I'm in an Airbus or a Boeing going transatlantic than when I am taking a Piper up and circling my own neighborhood, and that's because I know my ability versus a commercial airline pilot's ability.
The greatest challenge is getting IT CIOs to acknowledge the fact that a big provider, like an Amazon, like an EMC, like an IBM, because they are in the business of providing security, because they're in the business of providing transparency, can dedicate the appropriate amount of resources to securing their data to a degree that they themselves couldn't do.
And so the idea of gracefully losing control while maintaining trust is hard for any executive, and having these global standards gives them a mechanism to do it. It gives them legal grounds for litigation if that trust is breached. It gives them recourse. It gives them the ability to quantify their risk and to do so in a way that shareholders will acknowledge.
And so that education is our greatest challenge, educating legislators that it's in their best interests to adhere to a globally uniform commercial code governing data supply chain, and educating them that their economies will benefit from adopting these global standards. I think that is our greatest challenge.
Advice to OrganizationsFIELD: Marlin, a final question for you. What advice do you have for organizations that are sitting on the fence today because of their cloud security concerns?
POHLMAN: Well, the first movers in this space will realize the greatest gain.
In healthcare, I'm seeing companies, hospitals even, that were initially resistant to becoming cloud enabled, taking preeminent roles, becoming cloud providers, and because of their position in the HIPAA supply chain, being trusted authorities, actually assuming the role of a cloud service provider and assuming those additional responsibilities and seeing great benefit in that their IT -- something that was a cost center, that was just effectively sucking revenue out of the hospital -- becomes a profit center, and actually seeing a return on investment for all their years of hard efforts in securing their IT infrastructure.
So, for those who are sitting on the fence, I would say those who move quickly will see benefit, and those who wait will have to compete with those who are able to leverage economy of scale in the cloud to offset their costs. And if you are a first mover in the space, you actually help define the level of security you need. So you can either sit back and let others do the work and live with what comes out of the process, or you can be on the forefront and voice your concerns, have those incorporated in the standards.
Voice your concerns for security in the cloud. Voice how you see this impacting you. Voice it to your national body representatives and to the Cloud Security Alliance, which is the perfect liaison into that body, and it will make it better for everyone. And as a business owner, I'd say move quickly and see some benefits and establish yourself as a thought leader.