At the end of last year and the beginning of this year the Virtualization Security Podcast featured two very different guest panelists to discuss cloud security, policy, and compliance: Phil Cox, Director of Security and Compliance at RightScale, joined us for the last podcast in 2011 and the George Gerchow of VMware’s Policy and Compliance Group, joined us for the first podcast of 2012. We asked is the public cloud ready for mission critical applications. The answer was surprising. Have a listen and let us know your thoughts.
The answers ranged from Yes things are more secure, compliant, with better policies to we need proof that the cloud is more secure, compliant, and will handle my organizations policies properly. The conversations, both of them, were dominated by one simple fact:
Yes the Clouds may be more secure and compliant, but there is no proof that they are.
For security professionals and auditors for compliance, this proof is a requirement. So what do you do to get it? In some cases, you cannot, as that proof is just not publicly available and may not be easily or readily available internal to the cloud either. More on this a bit later. But even if we did get some sort of proof, would that proof come with enough information so that the scope of the proof was known?
Let us take PCI Compliance as an example. In order to properly audit for compliance (and the underlying security), the scope of the audit needs to be defined. Does this scope encompass everything? Do we know what is considered in scope? When a cloud provider says they are PCI Compliant, I have to ask, what was the scope of the audit, was it just those virtual and physical constructs sitting in a corner somewhere, or was it every tenant environment plus the underlying cloud providers environment? Scope therefore becomes a very large issue. Here is an example that came up:
A tenant that has a PCI workload does an audit of their workloads running within a public cloud, however, we discover the scope is too narrow as part of the PCI workload touches the cloud providers core infrastructure with the passing of credit card data into and out of the tenant. Therefore, the PCI audit needs to include the cloud providers core infrastructure where the data touches. This would minimally include the cloud’s core switch fabric.
In both podcasts, about security and one about compliance, the discussion of scope is a rising concern about public cloud security.
The advice from both podcasts for moving to the cloud is to do the following, up front. With up front implying before you even consider the cloud, as once you are entrenched it will be more about politics and cost of change than about real compliance and security. So before you move to the cloud there is quite a bit of up front work that needs to be accomplished.
- Verify your security and compliance policies account for cloud based workloads (a simple document audit) and update if necessary
- Develop a list of questions about security and compliance policy to ask your cloud providers
- Interrogate your possible Cloud Providers on what evidence they can provide you to prove compliance and security
- Ensure, you fully understand the scope of the Cloud Providers audits and evidence
If you cannot get this information out of a cloud provider, then move onto the next one until you find a good fit. This is one way Cloud Providers can differentiate themselves.
While the clouds may be more secure and compliant, cloud providers need to provide proof in the form of evidence and scope of such evidence so that the tenants who own the data can make intelligent decisions. After all, when there is an audit issue, breach, or other security event, the Tenant is ultimately responsible and not the cloud provider.
* The travelogue video was produced by Lars Troen