PCI for the Cloud

For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us are still wondering how much IT budget is actually going to be thrown at the so-called private, hybrid and public clouds in 2010. So what is in the way of the big shift?

We had a good discussion on this topic at AlwaysOn today. At least, it seems that everyone agrees on the main challenges: integration is harsh, security is dicey and compliance seems out of reach. So, where do we start? I am starting to believe that there too, we need to provide a baseline for cloud security and trust. Like PCI for e-commerce, a certification for the cloud will not make the cloud completely secure, but it will at least provide a set of common definitions and best-practices for cloud security and trust. It will also make it much easier for enterprise customers to evaluate and rationalize the security of any cloud vendor. In fact, prospective cloud customers will be able to contractually commit cloud vendors to well documented certification levels and build additional SLA and security contractual requirements on top.

So whether you are a security vendor, a cloud provider or an enterprise, there is one more thing that we may be able to agree with: trust certification could drive cloud adoption by simplifying the definition, evaluation and contracts for cloud security, compliance and trust. Of course, it starts with identity, so time to get to work.

*** This is a Security Bloggers Network syndicated blog from Blue Ocean authored by Nico Popp. Read the original post at:

Secure Guardrails