A comment that I liked on cloud computing came out of Sun's CommunityOne conference June 1 in San Francisco. It was from Tim Mather, a member of a panel on "Securing the Cloud--Why, What and How?" He said: "The trust boundary has moved with cloud computing but no one is clear where to."Mather is VP and chief security strategist for RSA, the security software division of EMC Corp. The trust boundary he refers to is the ability to trust data because it comes from a known source, is in a validated format and is being stored in a secure setting. If the cloud is providing database processing or data storage for you, who is responsible for the trust boundary? The user, the cloud? Both?

Cloud providers may say, "You can trust us," but Mather warned: "There's a serious lack of transparency (on how security is being provided)." Cloud vendors don't necessarily wish to air their security measures because that makes them easier to breach.

"What vendors are doing needs to be made public," continued Mather. The exact measures don't need to be aired, but the degree of security provided needs to be stated, then audited by a trustworthy third party, who concludes whether the vendor is doing what it claims to be doing.

Before that can happen, standards that define degrees of data security need to be established. A vendor can claim solid practices, but also choose to define security policies in terms that are more flattering to its own practices than warranted, or at least more flattering to itself versus the next vendor.

Getting to step two is a bit hypothetical "when we're not even to the first step (cloud supplier transparency)yet," he concluded.

The National Institute of Standards Technology has a draft of security standards for one party handling another party's data and it should serve as a starting point. It's SP 800-117, the draft Guide to Adopting and Using the Security Content Automation Protocol (SCAP), which was released for public comment on May 9th. SCAP includes "specification for organizing and expressing security-related information in standardized ways."

A PDF of the draft can be downloaded from this NIST site, where there's a link that takes you to public comments.

Those thinking about using the cloud may find delving into security practices an exercise beyond their present level of engagement. But another member of the panel, David Hahn, senior VP and group information security officer of Wells Fargo, reminded the CommunityOne audience that Massachusetts recently passed a law that makes the data originator responsible for its security, regardless of where it's sent to be stored.

"If something goes wrong and you're asked what security measures were in place, it's not a good answer to say, "I don't know where their data center is,'" he warned.