August 26, 2011 | Leave a Comment
With the rapid adoption of cloud computing technologies, IT organizations have found a way to deliver applications and services more quickly and efficiently to their customers, incorporating the nearly ubiquitous utility-like platforms of managed cloud services companies. The use of these cloud technologies are enabling the delivery of messaging platforms, financial applications, Software as a Service offerings, and systems consolidation in a manner more consistent with the speed of the business.
However, audit and compliance teams have been less aggressive in adopting cloud technologies as a solution of choice for a variety of reasons – there may be a lack of understanding of what security components are available in cloud; there may be a concern that the controls in cloud are inadequate for securing data; or, there may be a fear that control over the environment is lost when the application and data move to the cloud. And, while these concerns are understandable, there is an ever-growing recognition of the security and compliance benefits available in managed cloud services that are putting to rest the minds of corporate audit and compliance teams.
Here are five steps you can take to ensure that your audit and compliance team is comfortable with the cloud:
1. Understand and be able to relay the compliance requirements to your cloud service provider. I have worked with organizations in all industries with a wide variety of regulations, and the most successful organizations adopting cloud come with a very in-depth understanding of what security controls and technologies are necessary to meet the compliance of their own organizations. For example, we had a large provider of healthcare services approach us with a request to move a portion of their environment to cloud. This environment contained Patient Health Information (PHI), and the customer knew that, in order to pass their audit, they must be able to:
a) Enforce their own security policies in the new environment including password policies, standard builds, change management, incident handling, and maintenance procedures.
b) Incorporate specific technologies in the environment including file integrity monitoring, intrusion detection, encryption, two-factor authentication, and firewalls.
c) Integrate the security architecture into their already robust security operations processes for multisite event correlation, security incident response, and eDiscovery.
By ensuring that the cloud environment was architected from the very beginning with those controls in mind, the audit and compliance team had very little work to do to ensure the new environment would be consistent with the corporate security policies and achieve HIPAA compliance.
2. Select a cloud provider with a history of transparency in security and policies built into the cloud platform. It is extremely important that the controls in place supporting the cloud infrastructure are consistent with those of your organization or that the cloud provider has the flexibility to incorporate your controls into the cloud environment that will house your data. It is important to note that compliance is not one-size-fits-all. An example of this is the financial industry, where there are very specific controls that must be incorporated into an IT infrastructure, such as data retention, data classification, business continuity, and data integrity. Be sure that the managed cloud services provider is able to incorporate those policies that differ from the standard policies. Key policies and services that are often adjustable for different industries include the following:
a) Data and Backup Retention
b) Data encryption at rest and in transit
c) Business resumption and continuity plans
d) eDiscovery and data classification policies
e) Data integrity assurance
f) Identity and access management
Most organizations maintain a risk management program. If your company has a risk assessment process, include your provider early to ensure that the controls you need are included. If your organization does not, there are several accessible questionnaires that you can tailor to suit your needs. Two great resources are the Cloud Security Alliance (https://cloudsecurityalliance.org ) and the Shared Assessments program (http://www.sharedassessments.org ).
3. Understand what the application, the data, and the traffic flow look like. It is not uncommon for a cloud customer not to understand exactly what data exists in the system and what controls need to be incorporated. For example, one of the early adopter of cloud services I worked with years ago did not know that the application they hosted processed credit card transactions on a regular basis. When they first came to us, they wanted to put their Software as a Service application in the cloud not knowing that one of the uses that a customer of theirs had was to process credit cards in a high-touch retail model – the Payment Card Industry Data Security Standard (PCI DSS) was the furthest thing from their mind. After the end-customer performed an audit, the gaps in security and policies were closed by incorporating those policies and technologies that were made available in the cloud platform. Further, by understanding the transaction and process flow, the customer was able to reduce costs by segmenting the cardholder environment from the rest of the environment, and implemented the more stringent security controls on the environment with the cardholder data
4. Clearly define the roles and responsibilities between your organization and the managed cloud services provider. Some of the roles and responsibilities in a hosted service clearly belong to the hosting provider, and some clearly belong to the customer. For example, in cloud, the underlying cloud infrastructure, its architecture, its maintenance, and its redundancy is clearly the responsibility of the provider; likewise, the application (in many cases) and all of the data maintenance is clearly the responsibility of the customer. However, how an organization assigns roles and responsibilities for everything in between and assigns responsibility for the ongoing compliance of those roles and responsibilities is extremely important to the ongoing management of the compliance program. Remember that some of the controls and security technologies may be in addition to the cloud platform, and your requirements may result in additional services and scope.
5. Gain an understanding of the certifications and compliance you can leverage from your managed cloud services provider. Your managed cloud services provider may have an existing compliance program that incorporates many of the controls that your audit team will require when assessing the compliance of the cloud environment. In many cases, this compliance program, and the audited controls, can be adopted and audited as though they were those of your organization. For example, some cloud providers have included the cloud platform and customer environments in their SSAE 16 (formerly SAS70) program. The SSAE 16 compliance program is audited by a third party, and provides the assurance that the controls and policies that are stated within the provider’s compliance program are in place and followed. By inclusion into that compliance program, you may provide your auditors with a quick path to assessment completion.
The most important thing to remember in moving your environment to the cloud is to be sure to have conversations early and often with your provider regarding your requirements and the specific expectations of the provider. They should be able to provide the information necessary to be sure that your environment includes all of the security and controls to achieve your company’s compliance and certifications.
Allen Allison, Chief Security Officer at NaviSite (www.navisite.com)
During his 20+ year career in information security, Allen Allison has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform, chief engineer and developer for a market-leading managed security operations center; lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in systems programming, network infrastructure design/deployment, and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California, Irvine, Allison has lectured at universities and spoken at industry shows such as Interop, RSA Conference, Cloud Computing Expo,
MIT Sloan CIO Symposium, and Citrix Synergy.
August 16, 2011 | 2 Comments
I am always amazed when I read the daily cloud blogs, articles and news headlines. Any given day will bring conflicting points of view by cloud industry experts and pundits on how secure clouds are, both private and public. There never seems to be a real consensus on how far security in the cloud has evolved. How then can any corporate CIO sort through the conflicting information and make an informed decision? The good news is that several cloud industry publications; security vendors and research organizations are making a concerted effort to cut through the hype and provide CIO’s with non-biased and researched driven data to help with the decision-making process.
According to Gartner’s 2011 CIO Agenda survey, just 3% of the CIOs surveyed say the majority of their IT operations are in the cloud today. Looking ahead, 43% say that within four years they expect to have the majority of their IT running in the cloud on Infrastructure-as-a-Service (IaaS) or on Software-as-a-Services (SaaS) technologies. This article will review the security issues that are holding back CIOs right now, and what will be needed to accelerate that growth.
CIOs have a fiduciary duty and the ultimate responsibility (legally and ethically) to ensure that the corporation’s sensitive information and data are protected from unauthorized access. CIOs also have limited budgets and resources to work with so they are always researching new and emerging technologies that will reduce cost, increase security and scalability, and maximize efficiencies in their infrastructure. Independent studies have demonstrated that both IaaS and SasS cloud models decrease cost, increase scalability and are extremely efficient when it comes to rapid deployment of new systems. So what are the main security issues that have CIOs delaying a move to the cloud?
Perceived Lack of Control in the Cloud
To a CIO, control is everything; on the surface hosting your sensitive information on an outsourced, shared, multi-tenant cloud platform would seem like a complete surrender and loss of control. How can you control risk and security of an information system that resides in someone else’s data center and is co-managed by outsourced personnel?
There are several secure cloud service providers that understand this concern and have built their entire core business around providing facilities, services, policy and procedures that give their clients complete transparency and control over their information systems. Most secure cloud service providers have adopted and implemented the same security best practices, regulatory and compliance controls that CIOs enforce inside their own internal organization such as PCI DSS 2.0, NIST 800.53, ISO 27001 and ITIL.
In fact CIOs can leverage a secure CSP’s infrastructure and services that may otherwise be cost prohibitive to implement internally thus giving them greater control over their information systems and sensitive data than they might have if hosted internally.
Another area of concern for CIOs is the perceived outsourcing of the risk management of their systems. There is a great level of trust between a secure CSP and a CIO. The CIO is dependent on the cloud service provider for patch management, vulnerability scanning, virus/malware detection, intrusion detection, firewall management, network management, account management, log management and the list goes on and on. Certainly outsourcing all of these critical tasks would constitute loss of control right? Wrong! As part of their standard service offering most secure cloud service providers provide customers system access, dashboards, portals, configuration and risk reports in real time giving CIOs complete control and transparency into their systems. In fact CIOs should consider secure cloud service providers as more of an extension of their own IT departments.
Multi-tenant Cloud Security – is it possible?
One area that keeps CIOs and potential cloud adopters awake at night is the idea that their virtual machines and data would reside on the same server with other customers VMs and data. In addition, multiple customers would also be accessing the same server remotely. As discussed in the previous paragraph, to a CIO control is everything. So is it possible to isolate and secure multiple environments in a multi-tenant cloud? The answer is YES.
So how do you secure a virtual environment hosted in a multi-tenant cloud? The same security best practices that apply to a dedicated standalone information system would also apply to a VM. Virtual machines live in a virtual network on the hypervisor. Hypervisors are the operating system that your virtual machines run on top of. Through VM isolation you isolate your VMs on its own network thus isolating your VMs from other tenants VMs. There is no way for other tenants to see your VMs, or your data. The same goes for network security. You would simply implement firewalls in front of your VMs just as you would in front of a dedicated system.
Another area of concern for CIOs that should not be left out is the topic of disk wiping and data remanence. In a public cloud, multi-tenant environment customer data is typically co-mingled on a shared storage device. Conventional wisdom says that the only way to truly remove data from a disk drive is to literally shred the drives. Degaussing disk is time consuming, expensive and not practical for a public cloud environment. So what can a cloud service provider do to address this problem and provide assurance to CIOs system owners, security and compliance officers that their data has been completely wiped from all storage in the public cloud? Again, the approach is the same as it would be for a dedicated system. Using a DoD approved disk wiping utility you can boot the VM with the utility and perform the recommended number of passes to properly wipe the data from the shared storage.
In summary, there are a variety of reasons CIOs are delaying their move to the cloud from lifecycle management consideration to budgetary reasons. One area of concern that should not delay the move is cloud security. If architected and configured properly, utilizing security best practices both a private or public cloud can securely host and protect your information system and sensitive data.
Mark McCurley is the Director of Security and Compliance for FireHost, where he oversees security feature development and management of the company’s cloud hosting platform and pci compliant hosting environments. Prior to joining FireHost, McCurley played a key role in the development of a large managed service provider’s compliance practice, focused on delivering IT Security, compliance and C&A services to commercial and Federal agencies. His career has centered around data centers and customer IT systems that need to adhere to federal, DoD and commercial compliance mandates and directives. He holds CISSP, CAP and Security+ certifications, and specializes in Security and compliance for the following federal, DoD and commercial compliance mandates: DIACAP, FISMA, SOX, HIPAA and PCI.