Lists are usually good things to have. They help us to organize tasks, concentrate our attention, and discipline our time and money. On the other hand, lists can also "cloud" the real goal or objective, and nudge us into a one-at-a-time, check-off style of work (occasionally called "stovepipe" work) that prevents us from recognizing linkages between items on the list, and targeting the ultimate objective or outcome.

I worry then about "recipes" for security in cloud computing.

For example, when we wish to make a nice meal, we often make a list of ingredients to buy. As long as we remember that the meal is the objective, the list of ingredients is helpful. If we didn’t know about the meal, and all we had was the list of ingredients, we could get all of the ingredients and still not meet the objective of making a meal. That’s the lesson of lists. We confuse the ingredients for the meal! We focus on the items on the list … one at a time … without making the connection between items, or altering our actions if better ways to achieve the real objective materialize.

We saw recently the publication through the Cloud Security Alliance (CSA) of the "Top Threats to Cloud Computing " Version 1.0 (2010). We can add this good list to the other lists we have come to know, e.g., the CSA’s "Security Guidance for Critical Areas of Focus in Cloud Computing, " the "Consensus Audit Guidelines ," and the relentless stream of best practice guidelines for cloud processing (official and otherwise) that emerge over time. But, if we simply take this latest list (or any list) and turn it into a process handbook, we have just mistaken the ingredients for the meal.

An examination of the threats identified in this first listing from the CSA illuminates two helpful conclusions:

• Five of the seven threats listed are directly related to the absence of transparency in the cloud. The threats identified as "Malicious Insiders", "Shared Technology Vulnerabilities", "Data Loss/Leakage", "Account, Service, and Traffic Hijacking", and "Unknown Risk Profile" are all made more threatening by the absence of visibility into and through the cloud. Add enough transparency and they would be far less likely to be on the list. In this case, one common ingredient can make the meal.
• The other two ("Abuse and Nefarious Use of Cloud Computing" and "Insecure Interfaces and APIs") are related either to motivation by a user (bad guys using the cloud for spam, for example) or poor software development. These items do indeed represent unique ingredients.

Without remembering the lesson of lists we could easily generate a cloud security program effort that targets each threat one-at-a-time and miss the big meal reward that transparency can bring. It is trust we seek in the cloud, not merely the absence of threats.

So, welcome the CSA threat list. Review it. Analyze it. But seek the connections between items, and plan your menu of cloud protection actions around the essential ingredients (like transparency) that deliver trust to the cloud.