Chances are you may not yet have heard of the Cloud Security Alliance (CSA) [1], but I'm willing to bet you have heard of the cloud. Like ".com" in 2000, "cloud" is the hot code word du jour. Much like Linux in 2000, "the cloud" is currently approaching the "Peak of Inflated Expectations" rapidly [2]. However, Linux had numerous organizations and companies to help it move from inflated expectations to the "Plateau of Productivity." Although Linux has not yet become a big hit on the desktop, it's doing quite well in the server world – LAMP stack anyone?

To move the cloud from being an over-used buzzword to something that we actually use to get work done, it's going to need some help. The good news is, on the provider and products front, we have more than enough vendors frantically pushing cloud solutions that, once it shakes out, we will be left with some good stuff. But on the security side, what are we going to do? One of the primary benefits of the cloud, and one of its biggest problems, is giving up control – of the hardware, your data, and so on – to a provider.

What Is the CSA?

Ask, "What is cloud computing?" 100 times, and you'll get 100 different answers. Start asking about cloud security, and you'll get a mixture of answers, shrugs, blank looks, and offers to buy "cloud-enabled" security products. One of the biggest challenges is actually to agree on what cloud computing is and the various names for its services and components.

The elements most people agree on appear to be multi-tenancy (i.e., sharing resources with numerous other customers), on-demand self-service (companies love customers using automated systems to lower their overhead), measured services (i.e., pay for what you use), and elasticity (you need one server? 1,000 servers? No problem!). These elements are exemplified by most modern cloud providers. Google, Amazon, and the like will literally carry you as a customer for pennies a month. For example, one month with Amazon, when I didn't use anything other then some storage, cost me just US$ 0.02. Alternatively, these providers will happily let you scale up and use massive amounts of capacity, as witness Netflix living in Amazon's EC2 cloud.

On the security side of things, it gets much messier. At what point is a service, such as email spam filtering, "cloud enabled"? If it runs within a cloud provider like Amazon? If they run their own data centers but provide enough capacity to handle customers from one piece of email a month to one billion pieces of email a month? I'll be honest. I have no idea, and I bet five years from now, I still won't have a solid answer for you.

What the CSA Does

The CSA has a number of projects ongoing, but they all largely boil down to a few key areas: defining the problem and environment of cloud security, education, standards, certification, and research under the auspices of several working groups. Additionally, the CSA is trying to connect people through local chapters and various working groups and research projects. Think of the CSA as a neutral third party, a sort of facilitator, much like Switzerland or a football referee, except instead of trying to referee the rules of the game, they're also trying to help escalate the game.