IP Expo: The concept of 'security' has completely altered says CSA

Industry body says security is no longer possible to guarantee, and organisations can now only hope to be 'more or less' secure

The president of the Cloud Security Alliance (CSA) told delegates at IPExpo yesterday, that security should no longer be considered a 'secure or not' concept but a more fluid one that relates to compliance and risk management.

Des Ward, president of the UK & Ireland Chapter of the CSA, explained that the change is the result of the internet.

He said that when upload and download speeds were limited, there was little opportunity for vast amounts of sensitive data to go missing, because it was hard to access.

"Until the late 90s security was easy to do. You had a server and a slow internet connection, so you knew where your information was. It was in your cabinet or in a server," he said.

Ward added that today, information could be anywhere, and the attempt to secure it often renders it harder to track.

"Now, your data could be anywhere and it's hard to control who accesses it. We use [cryptographic protocol] SSL [Secure Sockets Layer] as it's the de facto banking standard.

"But as soon as you use these security controls you can't see what's going across the wire, so your data becomes harder to track."

Ward argued that with the near impossibility of ensuring that data is totally secure, the term 'security' becomes a misnomer.

"It's very hard to neatly partition this thing called 'security'. It's a binary, you're either secure or you're not. What we're moving towards is compliance risk management," he said.

He explained that a better way of approaching the problem of security is not to start with the mindset that you will never lose data, as this is an impossible position.

Instead, he said that businesses should focus on compliance risk management, where they ensure that regulations and accepted standards (such as ISO270001) are conformed to.

He concluded that this is especially relevant when choosing cloud providers, as many will leave at least some of the compliance responsibility to the client.

"Ask the cloud provider what standards they comply with. Also ask who is responsible for ensuring compliance. Ask if you need to do anything.

"Many providers' contracts say that the client is responsible, but the clients are unaware of the small print."