Box.com forges new cloud security model

Service providers and consumers need to move to a security model better suited to the cloud computing, says Box.com

The time has come for service providers and consumers to move to a security model better suited to the cloud computing era, says cloud-based content management and collaboration firm Box.com.  

The firm has pursued transparency or openness as a key policy to establish trust with customers concerned about security in the cloud environment.

Customers are able to access all activity and transactions related to their content and even download that data to their security information and event management (Siem) systems.

They also have access to SOC1, SSAE16, SOC2, ISO27001 and internal audit reports and quarterly penetration test reports. 

Box.com even allows customers to perform their own penetration tests.

In pursuit of greater transparency, Box.com has also achieved compliance with the US health sector HIPPA standard and is working on compliance with the US government FedRAMP cloud security assessment programme.

Limitations to this approach

However, this approach has its limitations, according to Justin Somaini, chief trust officer at Box.com and former chief information security officer (CISO) at two Fortune 500 companies.

He is calling for a new security model that can address the security issues arising from the evolution of computing on the one side and cyber threats on the other.

Somaini has begun working on a new model in consultation with the Cloud Security Alliance (CSA), which he hopes will evolve into an industry standard that will benefit cloud service providers and users alike.

He believes that cloud computing is essentially a return to centralised computing, which is an opportunity to achieve the security benefits the industry has been missing out on for 40 years.

“There is a lot of security value you can get when you move back into a centralised computing utility,” he told Computer Weekly.

Read more on cloud security

“It is only when we bring content back to a centralised model do we have the ability to apply identity, authentication and authorisation capabilities,” he said.

Consumers of cloud services have a role to play in having an open mind about the possibilities of doing things better in the cloud from a security point of view.

The importance of security

At the same time, cloud providers must strive to make security a differentiator by building products that share the customers’ objective of fending off attackers and ensuring confidentiality, integrity and availability, said Somaini.

Transparency around activity and transactions around content is a key component, he said, but many cloud providers still do not allow customers to access logs to see what is going on.

Many also still do not have good security certifications or detailed audits to provide a level of transparency around how they are managing content.

Without transparency there can be no trust, said Somaini, which is why he is forging a new security model that is aimed at enforcing this principle in the cloud services industry.

“One of the things I am call for in the industry is a more detailed and prescriptive audit and certification specifically for cloud providers,” he said.

For example, it should require cloud providers to supply all documentation on how they work instead of just a certification letter, and allow customers to view and download all transactions on their data.

Other important questions would be around providers’ ability to assist in any e-discovery requirements, how they defend against advanced cyber threats, and how they deal with application security.

Leagfrogging cloud specific frameworks

Internally, Box.com is seeking to roll out a version by the end of the year to leapfrog cloud specific framework within the ISO model, which is expected to take years to develop.

Somaini intends to update and mature the CSA’s control compliance matrix as the basis for new controls aimed at giving customers greater visibility and transparency than the SOCs, SSAE and ISO can.

He hopes that once established, these controls will be rolled into the fledgling ISO cloud framework.     

“My intent is to drive something new into the security industry and I believe the best place for it and the best leadership I can see doing this is the CSA,” said Somaini.

He is in discussions with the CSA in the hope of being able to create a new certification that will give users of cloud services better trust in what providers do and how they do it.

Somaini believes security professionals need to learn that there is a better security model than what they do today and cloud suppliers need to provide better capabilities to enable trust and transparency.

“Both sides of the industry have some work to do if we are to solve some of the fundamental problems in the industry,” he said.

Read more on Cloud security