The Cloud Security Alliance’s Marlin Pohlman, chief governance officer at EMC, in an interview at the RSA Conference, talks about the progress of the Alliance’s various initiatives, the areas that need the most attention and what its near future is likely to hold
NR: Are organizations actively using the Consensus Assessments Initiative Questionnaire (CAIQ)?
Pohlman: It is becoming a vendor selection tool, which is what Jason Witty originally had in mind. He was the inspiration behind CAIQ. He was with Bank of America and he realized, “I’m with a big bank, and I can’t pick a vendor; everyone is giving us SaS70, and they’re all different, and they’re pretty much worthless.”
In the financial services space and the health care space, we are getting a lot of traction on CAIQ as a selection tool. Laura Posey [lead co-chair] is going is through CAIQ and starting to weight questions; we have the 98 controls, but the real question is, how are you going to assert that you are complaint with these controls, and how do you prove you are compliant?
So you have your assertion, that you’re compliant with this control. You have the CAIQ, so you say, “Yes, yes, no, no, yes….” We have Trusted Protection Module labeling; we have certified individuals to do audit. We have everything on a technical level saying we have the technical infrastructure to support this. Then there is policy, process and procedure, and that’s why there are more questions than controls. You know what you do – how do you prove what you say?
That’s where we get Cloud Audit. In its current iteration it’s a file cabinet, where you put your assertion document; if you’re HIPAA compliant, you can go through each HIPAA control and can specify, “For this control, I’m compliant,” and have a link to not only my control statement, showing that I am asserting I am compliant, but I can link to A SCAP, OVAL or XCCDF statement. I can do CloudLog, which is Syslog in a cloud, or I can do a DMTF cloud audit, and I can give you continuous monitoring of those statements that I claim to be compliant with. It’s a very clean mechanism to satisfy your chain of trust.
NR: What are the gaps? Which areas still need to be refined?
Pohlman: The area that most needs to be reinforced is legal. After having just gone to lunch with the Information Protection Authority of Japan, I realize there are a lot more legal constraints than we have addressed. We really need to dig into the legal frameworks that are in place and how data is to be treated as a transient physical asset and how it can be done internationally.
The legal aspect is the most pressing issue because a lot of us are technologists. I’m going back for a law degree because I am an engineer first, an MBA second, and got the PhD somewhere along the way. But I can’t practice law in any state in the Union. We need more legal controls, absolutely.
NR: If CSA is heavy on technologists, how do you deal with legal controls going forward?
Pohlman: We are reaching out to liaison relationships with the ABA, reaching out to liaison relationships not just to U.S. legal bodies but also the EU, the Japanese Ministry of Information Technology and Trade Protection Agency. We’ve reached out to some information protection agencies in South America. We’re forming liaison relationships so we understand not so much the laws,but the actual nature of the law, the difference between common law and tort law, and how the how the Latin legal system differs from the English legal System and how that would influence the transfer of intellectual property — call it data, call it code, what have you — between multinational constituencies.
NR: What do you expect to see in version 3 of the CSA Guidance?
Pohlman: In 1952, the uniform commercial code came about because there was a paradigm shift: The concept of a supply chain was added to production, and the idea that non-real property would supersede real property in interstate commerce became the norm and not the exception.
We’re seeing the same paradigm shift in data, where we add a supply chain to data storage. Now we have something that is a lot more transient, a lot more fungible and a lot more open to disclosure. We have to understand how to treat it like property. In some Latin American countries, habeas data, the constitutional requirement, makes it property, so we can’t neglect that obligation to at least a third of the world.
So, the guidance, I believe, will follow the same line as other documents, such as the EU directives, which aren’t themselves law, but are taken on by the member states and codified into law. I see the guidance becoming the groundwork for a series of recommendations that can be taken on by a nation state to form their nation’s rights, remedies and obligations for transmission, storage and destruction of data. Those obligations will be based on the position in the supply chain.
So, in the next version of the guidance, I believe, you will see a template, something that will be consumable by the legal community, as a basis for a digital form of commerce.
NR: Are you happy with level of contribution from the IT community at large and associated communities or do you think the Alliance may be a little too vendor-biased or vendor heavy?
Pohlman: Obviously, those of us who make products in this area want to create a market. We’re still at the point where we’re creating a market in general, not a market for our products; we just want to create a level playing field. So at this point, all of vendors seem to be getting along pretty well, because we realize unless we make a common market for our business, none of us are going to profit.
Now, what I’d like to see is that go beyond those of us who make hardware for the cloud, and software for cloud, to encompass more of those that provide services in the cloud. And you’re seeing that with Salesforce finally coming in to the fold; they’ve kind of been on the outside for a while. You see Google coming in; you see Amazon. For a long time we’ve been looking to individuals like [CISO] Dave Cullinane at eBay, who is prime consumer of cloud services, and taking their contribution, especially in the Trusted Cloud Initiative as guidance as to how we build our solutions. It is my fastest road to a consumer to find out what they want. If we expand that circle, between consumer and supplier, we have legal experts and auditors.
Going a step further, as we expand the community, I would like to see more sociologists and economists get involved, because the concept of a supply chain is new to the space, and the impact the supply chain will have on the technology is yet to be determined.