You can Benefit from the Cloud: Choose based on Class of Service Arrow to Content

July 10, 2013 | Leave a Comment

In my last blog, I had promised a deeper dive into Choosing a Cloud provider based on Class of Service.

It is a very timely topic. In one of very many recent articles on cloud security, Avoiding cloud security pitfalls Telstra enterprise and infrastructure services IT director Lalitha Biddulph advises “A lot of cloud services are proprietary and once you move your data in there, you may have given away your right to shift data by choosing to use a particular service.”

Without a doubt this is an area of risk to be balanced when making decisions about which key vendors to use when you consider public cloud usages across SaaS, PaaS and IaaS models. It is also an area of opportunity where organizations can draw up distinct SLAs around their rights with their data and ensure that the SLAs are properly drawn up, communicated and agreed to by all parties prior to moving data across.

Over the last couple of years we have seen remarkable strides forward with cloud providers becoming much more diligent in not only improving levels of security for hosted email, customer relationship management and vertically-focused applications, but also with IaaS providers becoming much more flexible in conditions around SLAs and reporting.

I continue to feel greatly encouraged by the work that the Cloud Security Alliance is doing and it is why I invest my time in their activities. I believe that they have the power with their wealth of resource and broad industry participation to continue to educate the industry and move us forward with ideal frameworks based on consensus.

While I think caution should be urged and organizations should be in no doubt about the risks that their data can be exposed to in cloud models, this should also be balanced with the economic advantages. Added, to that, cloud models have matured for the types of services I have mentioned above and others – that too should be taken into consideration along with a robust set of security controls.
Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

Why the Cloud Cannot be treated as a One-size-fits-all when it comes to Security Arrow to Content

June 24, 2013 | Leave a Comment

Despite the fact that cloud providers have long since differentiated themselves on very distinct offerings based on cloud platform type, I often see the cloud written about as though it is a single, uniformservice. And, the problem with that is while there are commonalities, it is downright misleading especially as so much is misunderstood around what’s required to secure cloud-based services and the risks that are involved. Today there are three classes of service, Software as a Service (SaaS) where the provider hosts software-based services and the consumer accesses via a web interface, Platform as Service (PaaS) that developers mostly use to developsoftware-based offerings, and Infrastructure as a Service (IaaS) where consumers can “rent” infrastructure to host their own services.

When I speak with customers I recommend they consider cloud offerings in the light of classes of services they need, the types of data they will need to expose, their regulatory compliance needs and the reputation and flexibility of the service providers they are looking to leverage. Because, even within the classes of service I mentioned above there are distinct variances.

Choosing a cloud provider based on class of service

Over the last five years in particular the industry has benefitted from broad based adoption of SaaS particularly for customer relationship management, payroll and document collaboration to name a few. But, cloud providers in this space range from those with established practices and who have robust data handling and hygiene practices that are well documented to emerging players. The same goes for PaaS and IaaS. Over the last couple of years some IaaS providers have developed tailored offerings to suit particular verticals such as government, retail and healthcare. Today, the industry is still very much lacking from standard definitions and templates for SLA. And with each different class of service, there are different security requirements too, ranging from SaaS where the consumer has no ability to push security controls down to the provider’s environment to IaaS where typically the consumer is responsible for securing the virtual machines that they might “rent” from a provider. This is where leveraging the freely available resources from the Cloud Security Alliance Trust and Assurance Registry (STAR) an initiative that encourages transparency of security practices within cloud providers, is incredibly valuable.

Data Security According to Data Type

Data, too, is not created equal. Consumers of different cloud services need to consider the data that entrust in the hands of a SaaS provider from a sensitivity level as well as any exposure that may result from a potential data breach. This concern may be a little different with IaaS where a consumer potentially has the opportunity to addmore safeguards such as encryption, file monitoring and other security controls at the virtual machines level that may help mitigate some of the risks. I have seen some excellent security implementations around some vertical stack models that some IaaS providers have developed for government, retail, healthcare and now expanding to more verticals. However, there are issues such as data residency, data handling and monitoring at the network and overall host level that still need to be considered and carefully thought out.

Regulatory Compliance Needs

Some years back the security industry had been focused around the idea of audit and compliance fatigue – this the idea that many enterprises today can be dealing with in excess of fifty mandates pending whom they do business with and their geographic span and the amount of often manual audit data collection. Since then, there has been some automation of IT audit practices but it still remains a time consuming practices for most organizations. There are over 4000 mandates today, which the Unified Compliance Framework has done an amazing job of tracking and cross mapping for many years and as always more government and data privacy mandates in the works. The Cloud Security Alliance Cloud Controls Matrix also cross walks several standards but further categorizes controls according to platform, recognizing that different models require different controls. It is ideal for those looking to learn about how to evolve their controls to map to different models and who want to avoid the audit fatigue syndrome through the concept of audit once, report many times.

Over the next few weeks I will drill down into each of the above areas. In the meantime, if you have any questions or wish to discuss any of the above further, please contact me at [email protected]

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

CSA Releases CCM v 3.0 Arrow to Content

February 25, 2013 | Leave a Comment

The Cloud Security Alliance (CSA) today has released a draft of the latest version of the Cloud Control Matrix, CCM v3.0. This latest revision to the industry standard for cloud computing security controls realigns the CCM control domains to achieve tighter integration with the CSA’s “Security Guidance for Critical Areas of Focus in Cloud Computing version 3” and introduces three new control domains. Beginning February 25, 2013 the draft version of CCM v3.0 will be made available for peer review through the CSA Interact website with the peer review period closing March 27, 2013, and final release of CCM v3.0 on April 1, 2013.

The three new control domains; “Mobile Security”, “Supply Change Management, Transparency and Accountability”, and “Interoperability & Portability” address rapidly expanding methods cloud data is accessed, the need for ensuring due care is taken in the cloud providers supply chain, and the minimization of service disruptions in the face of a change to cloud provider relationship.

The “Mobile Security” controls are built upon the CSA’s “Security Guidance for Critical Areas of Mobile Computing, v1.0” and are the first mobile device specific controls incorporated into the Cloud Control Matrix.

The “Supply Change Management, Transparency and Accountability” control domain seeks to address risks associated with governing data within the cloud while the “Interoperability & Portability” brings to the forefront considerations to minimize service disruptions in the face of a change in a cloud vendor relationship or expansion of services.

The realigned control domains have also benefited through changes in language to improve the clarity and intent of the control, and, in some cases, realigned within the expanded control domains to ensure the cohesiveness within each control domain and minimize overlap.

The draft of the Cloud Control Matrix can be downloaded from the Cloud Security Alliance website and the CSA welcomes peer review through the CSA Interact website.

The CSA invites all interested parties to participate in the peer review and the CSA Cloud Controls Matrix Working Group Meeting to be held during the week of the RSA Conference, at 4pm PT on February 28, 2013, at the Sir Francis Drake Hotel
Franciscan Room
450 Powell St in San Francisco, CA.

Page Dividing Line