Configuration Compliance in the Cloud

By David Meltzer


As a member solution provider in the Cloud Security Alliance, paying careful attention to risk and planning for improvement is second nature for my own companies’ security services.  As a consumer of many start-up cloud services built completely outside the security industry, however, I have observed that  building secure cloud services is a much more daunting task for companies not filled with security experts.  Asking an early stage SaaS start-up to answer 197 questions about their risk and how they comply with the 98  items in the Cloud Controls Matrix is more likely to get a “You have got to be joking” and /or a virtual blank stare than receive any substantive assurances about security risk.


Vendors might look at a list of questions like the CSA Consensus Assessments Initiative Questionnaire and be overwhelmed with all the requirements. Vendors that want to provide a more substantive answer than  ‘YES’ or ’ NO’ are probably also asking, ‘How do I get started with the basics?’


In this article, I’ll walk through one of the basic security building blocks that can turn an average start-up SaaS service into one that takes security seriously and can ‘pass muster’ with even the most paranoid security auditors found at companies like mine.


One requirement cuts across a broad cross-section of controls in the Cloud Controls Matrix is the performance of infrastructure audits. Infrastructure audits always begin with a discovery process; – you have to know everything in your infrastructure before you can determine if it is secure.  This seems straight forward, but it’s not as easy as you think. Do you know specifically how many assets you have, where are they, and what are they?  Discovery can be a simple process if all management is centralized, but most companies can find a few surprising things (or a lot of things) pretty quickly. For example, what started as a few virtual instances with a single provider can quickly morphed into multiple cloud infrastructure providers with a private network or two thrown in for good measure. At this point an asset inventory becomes a very valuable step. A variety of open-source and free cloud solutions that automate  basic network discovery are available, so if the answers to infrastructure questions aren’t totally straight forward, it’s easy and free to get detailed, reliable answers.


Once you know what is there, the next question to ask yourself is, ‘Do I have a security configuration policy for each of these systems’?  It is rarely necessary to create any configuration policies yourself;  the security industry has spent the last decade building policy templates for a wide range of operating systems, servers, devices, and applications.  The most prominent sources for these policies today are the Center for Internet Security ( & NIST’s Security Content Automation Protocol (

These policies can be applied to your systems ‘as-is’ or used as a baseline and modified to fit your particular application needs.


Now that you have a policy, the next step is auditing the assets against the policy.  A variety of solutions exist for doing this – it can be a manual effort, a host-based approach applied system by system, or a network-based approach assessing the entire discovered network at once.  Both CIS & NIST have certification processes and publicly list certifications awarded, so if you decide to use a vendor instead of assessing each asset manually it’s easy to narrow down options.


Automation of configuration auditing pays dividends quickly, but the frequency of updates to your production services will dictate how much re-auditing is necessary.  In an ideal closed-loop solution, changes to a configuration will immediately trigger an automated re-audit, giving you a constantly updated assessment of how closely the configurations of your production assets compare to the policies you’ve set.  With manual processes, weekly or monthly audits may be a more practical goal to set. Almost anyone who implements an automated configuration auditing program will start to see how quickly policy deviations creep into production services.  With quick detection, these configuration errors are just as easy to remediate as they are to detect.


Implementing a configuration compliance program from scratch that includes discovery, policy assignment, and auditing doesn’t require a lot of time and produces one of the biggest ‘bangs for the buck’ in securing a service. And, perhaps more importantly, with a configuration compliance program in place you are able to produce evidence of compliance for future customers and auditors.  This program ensures you have a broad set of documented configurations for your infrastructure that should be configured (with little work on your part), a program to audit compliance, and evidence of compliance, as provided by the output of your audits, for every asset of your infrastructure.


A solid configuration compliance program is the cornerstone of every cloud security program.  It pays immediate dividends with customer and auditors and is relatively inexpensive to put together.

Cloud Security Requires All Hands on Deck

Andrew Wild, CSO at Qualys, discusses how security postures and attitudes need to change as more and more IT functionality moves to the cloud


It’s clear there are many compelling reasons, both financial and productivity-related, for enterprises to move IT functionality into the cloud, so it’s not surprising that they’re moving quickly to adopt popular collaboration services like, Yammer, Jive, and the like. According to a recent study by business technology service provider Avanade, 74 percent of enterprises are using cloud computing, a 25 percent increase over results for the same survey in September 2009.  Of those organizations yet to adopt cloud services, three-quarters say cloud is in their future plans. The migration of IT functionality into the cloud magnifies the importance of ensuring users understand how to use these services most productively and securely, especially since security for cloud services is typically implemented by the cloud service provider and  the enterprise has limited control over that security while retaining legal responsibility for regulatory compliance.


Understanding Controls

The use of cloud services brings many advantages to the enterprise, but it’s vital that everyone involved understand how the differences between cloud and traditional enterprise IT services impact  information security.  Most organizations have defined security policies that provide administrative guidance for users about how to use IT services securely, as well as the responsibility of all users to safeguard privileged information.  In addition to these administrative security controls, enterprises typically implement technical controls that detect, or in some cases prevent violations of those policies.  Examples of these technical security controls include data loss prevention (DLP) technologies, firewalls, and email security appliances among others.  These technical controls are often used to prevent disclosure (both malicious and unintentional) of sensitive information.


The effectiveness of these controls is generally acceptable for on-premise security, but for cloud-based IT, they bring little or no benefit, because they’re designed to function inside the enterprise IT infrastructure. Technical security controls for cloud IT services are designed, implemented and managed by the cloud provider.  The specific technical security controls implemented by cloud vendors vary by provider, but in general, enterprise IT and Security staff have significantly less visibility into or control over them than a comparable in-house deployment.


Embracing Constant Change without Sacrificing Security

Cloud-based IT services typically provide a feature-rich, highly interactive experience for end users.  Because of the deployment model, cloud service providers can introduce new functionality and service enhancements frequently and rapidly, usually with no involvement from the organization’s IT or security team.   This dynamic and rapidly evolving environment is challenging for both end users and organizational IT and security staff.  End users may find it difficult to keep up with all of the new functionality, and may not be able to make full use of the features, leading to less than optimal productivity, while  IT and security staff will not usually have sufficient time to assess the possible impact of the new functionality on the security of the organization.


Security Awareness and End User Training:  More Important than Ever


These factors combined require an altered approach to end-user education across the enterprise. Now more than ever, every person who accesses company information must play an active role in ensuring the security of an organization’s information.  Enterprises must fully educate their employees about those responsibilities to ensure the security of organization’s information, as well as how to use the cloud IT services securely.  This is particularly true now that many employees are accessing corporate networks from personal devices such as smartphones and tablet computers; a recent study by Cisco Systems found that a majority of individuals believe they are not responsible for protecting information accessed through devices[1]


Here are some ideas to begin implementing security awareness and IT training programs that ensure security in the face of the disruptive nature of cloud-based IT:


  1. Establish clear IT objectives for each cloud-based IT service that you select.
    Understanding how you expect the particular cloud based IT service to be used is essential in order to evaluate the possible risks the service may pose to your organization.  You can’t always avoid the risk, but by educating your end users as to the security risks and appropriate use of the service will go a long way towards minimizing that risk.
  2. Ensure end users understand their responsibilities.
    Make sure that end users fully understand their role in securing the organization’s information.  Far too often, employees believe that security is solely the purview of the  IT security team, rather than a responsibility of every employee.  Your organization’s culture should reflect that global responsibility, so  all employees understand the critical role they play, and IT security staff are seen as shepherds and helpers rather than guards and enforcers.
  3.  Ensure that your information security program encourages end user participation.
    In the rapidly changing world of cloud-based IT services, it is very likely that end users will learn of new features and capabilities before your IT and security staff does.  You can take advantage of this – involved end users are more likely to provide feedback to the organization about how new features may introduce risk.  This kind of feedback from end users is critical to the participatory process, enabling  IT security staff to adapt awareness training and security controls as appropriate to minimize the risks.


A Plea to Cloud IT Service Providers

Enterprise IT security staff understands the differences between cloud and on-premise IT services. So it’s very clear to them that most cloud IT service providers do not provide the enterprise sufficient transparency in the implementation and ongoing management of security controls.


Cloud service providers must continue to work to improve the visibility they provide to their enterprise customers to ensure the proper implementation of technical security controls.  While the responsibility for implementing the technical security controls shifts to the cloud provider in a cloud-based IT service model, the responsibility for securing the enterprise’s data still belongs to the enterprise security team.  Cloud providers must enable the enterprise to integrate the security of cloud-based IT services with enterprise managed IT services.   The ability to integrate with existing enterprise processes is critical for the enterprise to meet compliance requirements by leveraging existing security resources while adopting cloud-based IT services.


A few examples of the ways in which transparency can be improved include:

  1. Federated identity services, allowing the enterprise to own the management of its user identities.  Giving the Enterprise the ability to manage its own identities allows the enterprise to leverage the existing user account provisioning and de-provisioning processes and controls.
  2. Access to event logging for the purpose of auditing user activity.  Providing the enterprise with detailed event logging information, especially in regard to user activity, allows the enterprise to leverage existing event management processes and controls.
  3. Configurable options at the organization level to manage the sharing of information.  Allowing the enterprise to configure how information is shared on the cloud based IT service enables the enterprise to ensure consistency with its enterprise information classification and handling processes.

Enterprise security professionals understand that cloud-based IT services are still maturing; cloud IT service providers should not forget that a lack of progress towards improved transparency will eventually impede the adoption of their services.


Kudos to Microsoft! 3 Offerings Now on the STAR Registry

We at the CSA want to offer a hearty congratulations to the team at Microsoft, for their leadership in completing and publishing STAR assessments for their products. As of today, Office 365, Windows Azure and Dynamics all have STAR assessments completed and published.

We applaud Microsoft for leading the way in bringing visibility and transparency of security best practices to the cloud.

For more information on the Microsoft STAR Registry entries, and to learn more about what their customers are asking for, visit their blog post.