McAfee seeks trust in the cloud

Beverley Head
Wednesday, 26 May 2010 15:03

Business IT - Security

McAfee knows only too well what can happen when software released as a service is faulty. Just a month after its public relations disaster following the release of a faulty DAT file which crashed enormous numbers of its users' computers, the company's chief technology officer for SaaS is in Australia talking up the importance of cloud computing security.

Scott Chasin who spoke at CeBIT this week, claims that; 'This is a very unique time. It is one of the first times we have the ability to define the risks to the cloud before we see their full ubiquity.'

In March the company announced its Cloud Secure programme, which is currently being used by Amazon Web services and SuccessFactors. Still the only two announced users of the programme, which constantly checks cloud security and then issues a McAfee Secure trustmark that the cloud provider can display, the company is keen to line up as customers other suppliers of public clouds, and enterprises developing private or hybrid clouds.

Asked why enterprises should trust a company which could not even manage what came out of its own cloud to oversee the security of their clouds, Chasin said that; 'For us it was an almost perfect storm of events. The big lesson for us was our reaction as a company.'

The experience has no doubt informed McAfee's approach to cloud security. According to Chasin; 'Enterprise customers demand security validation from their cloud providers.' Today that generally involved an annual audit under the ISO 27001 standard he said.

Chasin however believes that should be augmented with continuous cloud security analysis and vulnerability testing such as that offered by McAfee Cloud Secure. This would be particularly important as clouds within clouds developed, where services were provided to end users through what amounted to mash-ups of different clouds some providing infrastructure, some providing software for example.

He said that the company was now working with KPMG, which conducts IS0 27001 audits to extend the range of services that could be made available to cloud providers and cloud users. Chasin said that McAfee was also participating in the Cloudaudit.org group which was created in January with the intention of automating the audit and assurance of cloud services.