Breach

Infosec volunteer group’s new project to tackle the cloud

June 14, 2010

A nonprofit that documents data breaches will extend its research efforts to the cloud.

The all-volunteer Open Security Foundation (OSF) later this month plans to launch "Cloutage," a new project that will track incidents involving the cloud.

"There's a whole lot of attention given to the cloud these days, and rightfully so," David Shettler, CTO of the Open Security Foundation and information security officer at the College of Holy Cross in Worcester, Mass., told SCMagazineUS.com. "It has significant benefits in terms of cost savings. We also feel there is a darker side to the cloud."

The group plans to chronicle five categories of incidents: lost data (such as when a Microsoft server failure caused Sidekick smartphone users to lose data), automatic failures (such as when a flawed McAfee security update forced some corporate PCs to reboot incessantly), intrusions (such as when cloud provider Google suffered a data breach), outages (for example, if Amazon Web Services or Salesforce.com were knocked offline) and site-specific vulnerabilities affecting cloud service providers.

So far, OSF has added roughly 65 incidents to its database, but there "is a ton of back fill" still to do, Shettler said.

Most organizations are using the cloud in some way, he said. Over the past year, a number of notable organizations, such as the city of Los Angeles, have announced plans to move some applications to the cloud.

The OSF project will provide companies with data they can use to decide if they should continue forays into the cloud, or stick with on-premise solutions.

"The goal is to hopefully take all this information that is out there and aggregate it in such a way that would be useful to security researchers and people who are doing business in the cloud," Shettler said. "We're doing this so there's a data set somewhere that is accurate, unbiased and well maintained."

The metrics generated by OSF might help organizations consider areas of risk they may have overlooked, said Kevin McDonald, a senior information technology analyst and cloud strategist at ICF International, a consultancy based in Washington, D.C.

"There's certainly room in the industry for some sort of Consumer Reports type of thing," said McDonald, who has authored a book on cloud computing. "That may be the role they can play."

He added that he would want OSF to follow incidents through to their resolution.

prestitial ad