Cloud computing can help organisations of all sizes. Its benefits, in terms of rapid deployment and flexibility, are potentially significant, and security and privacy concerns can be mitigated through thoughtful, careful design.
So said Jeff Jones, CTO of Trustworthy Computing at Microsoft, speaking at the Microsoft Security Development Conference, in San Francisco, this week. The Microsoft Cloud Security Readiness Tool (CSRT), unveiled in November 2012, helps organisations better understand how cloud adoption compares to their existing policies, procedures and compliance, says Jones.
He says the tool builds on the Cloud Security Alliance's (CSA's) Cloud Controls Matrix (CCM). The CSA is a member-driven organisation that aims at promoting the use of best practices for providing security assurance within cloud computing. He describes the tool as an interactive, easy-to-use survey that consists of 27 questions designed to get information about a business' industry and the maturity level of its current IT infrastructure.
The CSRT uses respondent information to provide relevant guidance in a custom report that helps organisations better understand their systems, processes, policies and practices, and improve the state of their current IT. It also helps them learn relevant industry regulations, and receive guidance on evaluating cloud adoption, he explains.
The questionnaire considers several areas, including security policy capabilities, personnel capabilities, physical security capabilities, privacy capabilities, asset and risk management capabilities, and reliability capabilities. Data collected by the tool over the last six months shows that most organisations are relatively immature across almost all of the control areas represented in the CSRT.
Strengths and weaknesses
Responses to the questions revealed that most businesses are focused on following the IT security areas of information securing through deployment of anti-malware/anti-virus software. They are also focused on security architecture through clock synchronisation of networked PCs and facility security through controlling user access to data.
However, weaknesses numbered far more. Jones said most companies do not focus on several other areas, including human resources security through prudent hiring practices, operations management through effective capacity planning, and information security through consistent incident reporting.
In addition, not enough attention is being paid to legal protection through the use of non-disclosure agreements and operations management through effective equipment maintenance.
He says the areas organisations focus least on tend to be handled more effectively in cloud deployments.
"From a larger perspective, although security factors must be considered when moving to the cloud, there are many security benefits to be realised."
Data collected from the tool over the past six months revealed that cloud computing has the potential for even greater security value and benefit than had been previously estimated, he concludes.

