With the aim of offering an assessment of the current situation of mobile computing and current threats to protect them, the Cloud Security Alliance (CSA) has published a guide specializing in critical areas with recommendations on best practices in this area.
The CSA has updated its Cloud Control Matrix (CCM) with recommendations of best practices for securing the cloud. The CCM Version 3.0 document, “Security Guidance for Critical Areas of Focus in Cloud Computing version 3.0” addresses information security risks over the access of, transfer to, and securing of cloud data in the mobile security; supply chain management, transparency and accountability; interoperability and portability; encryption and key management domain.
The document provides an assessment of the current situation of mobile computing as well as details of the main threats that exist today in this area. Mobile computing has changed the way we work, ushering in a new era of productivity and efficiency. But implicit in the benefits of mobility ultimately have a cost in terms of ensuring that established security protocols are applied consistently and correctly.
CSA recommends a clearly-defined mobile use policy. The policy can dictate how the device is secured, what information it stores and what data on the device the business has access to. It also addresses the threats and concerns IT professionals in regards to mobile computing. With an introduction to each of the main components of mobile computing, including trends such as Bring Your Own Device (BYOD) authentication, application stores, mobile device management (MDM) and security, many users lack a fundamental policy to control which services they can access from their mobile devices.
Besides preserving data security and management of a large number of personal devices, companies must also take into account the new set of legal and ethical issues that may arise when employees are using their own resources to do their jobs. Companies that are not protected by policies in workplace are exposed to great financial risk.
The CSA also recommends new guidelines for supply chain management, transparency and accountability. The report said that customers should have a clear understanding of exactly how data is handled by their provider. They should be aware of service-level agreements (SLA) and security controls but also some understanding on underlying infrastructure as a service (IaaS).
The CSA CCM provides a controls framework including other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP.
CCM adoption gives cloud providers a manageable set of implementation ready controls that are mapped to global security standards. For customers, it acts a catalyst for dialogue about the security posture of their service providers, something that before the CCM existed was impossible.