RSA promotes trust in the cloud

Grazed from ITWire.  Author:  Stephen Withers.

Some of the major barriers to the adoption of cloud computing involve trust and security. Part of the problem is that even if the parties are prepared to exchange information, the many-to-many relationships mean a lot of work…

A common hub would simplify matters, then each provider and customer could work with a single set of interfaces. That’s what EMC subsidiary RSA proposed earlier this year as the Cloud Trust Authority (CTA).

The company describes the CTA as "is a set of cloud-based services for identity, information, and infrastructure cloud security as well as compliance reporting designed to facilitate secure interaction among organisations and cloud service providers."

David Walters, RSA’s senior director, GRC (governance, risk and compliance) strategies and solutions told iTWire that in addition to wanting access to compliance-related information from their cloud providers, organisations also want to apply their existing role and group controls into the cloud, and so the company is working with VMware via the CTA to allow this.

CTA is currently setting up trials involving various providers and a small number of mainly US or EMEA based customers, and the project will reach the proof of concept stage this quarter, he said. General availability of the service is expected during 2012.

According to Mr Walters, some smaller cloud providers already give their customers access to GRC-related information as a way of distinguishing themselves from larger competitors, which tend not to do that. "We’ve seen some of the smaller players play this up," he said.

While much of the initial work is in the IaaS space, he suggested that SaaS providers – which are currently "more of a black box and unwilling to share" – will be drawn in as such offerings become more involved in organisations’ core activities. Mr Walters noted that some of the existing CTA participants are SaaS providers.

He also pointed out that RSA has worked with VMware on a cloud security compliance solution that embodies VMware’s 130 hardening guidelines and provides reports of any breaches of those guidelines via RSA’s Archer enterprise GRC product, mapping them to any relevant standards (eg, PCI) and prioritising them appropriately.