Everyone wants to talk about “The Cloud,” a term that has become as amorphous as the concept of the ether once was for the Internet. There are more than two dozen definitions for what constitutes “the cloud,” which is causing great confusion about the correct utilization. Consequently, how end users properly secure and maintain integrity of their clouds is of high concern.

A new report by the Cloud Security Alliance (CSA), commissioned by Hewlett-Packard, enumerates the security concerns of midmarket and enterprise customers. They are:

• Abuse and Nefarious Use: This is a fancy way of saying hackers gaining access to applications and resources by cracking accounts and passwords.
• Insecure APIs: Faulty code used to create hooks between on-premises applications and their cloud-based counterparts that could lead to a breach (see last item).
• Malicious Insider Risks: Those in the data centers hosting the clouds using their credentials and access to manipulate applications and data, and steal digital valuables.
• Shared Technology Vulnerabilities: Having malware infecting one virtual machine cross over the partitions through the hypervisor to infect other applications.
• Data Loss and Leakage: The unauthorized or accidental release of data to third parties.
• Account Service and Traffic Hijacking: This is another way of saying denial of service attacks.

Interestingly, PricewaterhouseCoopers released a similar study that denoted end-user concerns about cloud security. In that report, the security concerns inhibiting adoption are, in order of ranking:

• Poor provider controls
• Inadequate training of service provider personnel
• Inadequate or poor access control
• Poor data disaster recovery and business continuity planning
• Lack of data and resource segmentation
• An inability to audit controls and regulatory compliance

Reports such as these are designed for one purpose - to scare the bejesus out of some security and IT manager who is already confused about cloud computing into seeking professional (i.e., compensated) guidance for securing these vastly mysterious cloud systems.

But both lists are missing some essential elements. Here’s what I would add:

• SLA Compliance: Is the service provider delivering the level of service (availability) and security (confidentiality, integrity) as defined by the service contract?
• Incident Response Procedures: Does the service provider have a plan for responding to security incidents and what is the expectation for response times? Does the service provider test these procedures?
• Ease of Doing Business: Is the service provider responsive to security concerns? Does it work with the client team in resolving conflicts and adapting to specific security requirements? Does it provide support for auditing and compliance reporting?
• Data Portability: Probably the most important item - if the service provider isn’t living up to either the performance or security expectations, how easy is it to extract data and transfer to either another service provider or an on-premises system?

These are not trivial issues. In fact, it points to a gap in understanding about what cloud security really means. I’ve talked with several cloud and security service providers, and enterprise IT security managers and system architects about this. They are relatively unanimous in their views that securing the cloud is relatively the same as the controls put in place for an on-premises data center or infrastructure. The difference is the responsiveness and level of cooperation in working with the service provider.

Take, for instance, the relationship between Hosted Solutions and Belk Department Stores. When Belk decided to expand its online e-commerce platform, it chose to outsource the Web hosting and sales transaction functions to Hosted Solutions rather than build a new $2 million data center. Hosted Solutions, which as a SAS 70 accredited data center, worked with Belk in designing the systems and controls to ensure PCI-DSS compliance. Third-party audit teams and Belk’s compliance team each have access to the Hosted Solutions data center to spot check and ensure that the required security controls are in place and working properly.

The level of trust and cooperation between Belk and Hosted Solutions is so high and integrated that the department store chain’s chief IT architect, Neil Ayrons, said, “The pieces I’m putting in Hosted Solutions’ data center are the things that could land me on the front page of the Charlotte Observer.” Usually, enterprises don’t outsource anything that will land them in hot water, but in this case Belk has a level of confidence that enables that type of service engagement.

For solution providers either consulting with customers about cloud computing security or delivering cloud security services, there’s no mistaking the need for building a trusted business relationship and delivering upon the goals and expectations that comes with being a synergistic partner.