On the Virtualization Security Podcast from several weeks ago, wh had Craig Balding of the Cloud Security Alliance (CSA) and Peter Mell who heads up Cloud within NIST as guests, who announced the availability of the NIST Cloud Computer Definitions as well as some basic guidance around securely using the cloud. While the NIST definitions were available in draft form prior to a few weeks ago, they are now official definitions, and this is a large step forward for the cloud.There has been great debate regarding what comprises the cloud, how to bound the cloud so that its easier to understand, and how to secure the cloud. Christofer Hoff of the Rational Survivabilty blog has been spear-heading quite a bit of discussion on cloud taxonomy in his attempts to wrap some thoughts around how to properly secure the cloud and everything within it. The start of this journey is the act of defining exactly what the cloud is, and is not. The NIST document adds some more to an existing definition by defining public and private clouds.
However, along with security there is a need to provide compliance within the cloud for all the normal aspects of business computing (PCI, SOX, FDIC, etc.) How these fit into the cloud is still to be determined. How some of these compliance regulations fit into virtualization is being worked on today, but others are not yet being considered.
There is guidance coming from CSA, NIST, and RSA with respect to securing the cloud, so we asked the panelists what they felt should be considered when moving into the cloud, which can be an extremely hostile environment where you could be sharing hardware with a competitor. Here are the results:
Craig Balding stated:
Ask yourself what is the data classification, what is the workload, and what layer are you in SaaS, IaaS, PaaS? Knowing this information will help you with regulations and determine what you should or should not place into the cloud.
This lead on to an interesting discussion on how do you audit within the cloud, how clauses such as a ‘Right to Audit’ clause within any contract worked with a cloud provider. The answer to these questions is found in the A6 Initiative which is the development of an API to allow for audit and assessment scans within the cloud in an automated fashion. Personally, I see the need for something like this within any virtual environment as most of it is opaque.
Peter Mells stated:
Along with everything Craig Balding stated Peter added when using Outsourced Private Clouds per the NIST definition, you may wish to actually have a physically independent private cloud such as renting the entire physical server as units. In this way you alleviate co-sharing of resources between competing companies.
The DISA Rapid Access Computing Environment is an IaaS based cloud for developers where they can use a VM without needing to know the underlying layer. DISA is looking into creating a production version.
Hemma Prafullchandra stated:
Understand requirements/data classification and what existing controls exist within your current data center before moving to the cloud. Ask the cloud provider what controls exists.
Iben Rodriguez stated:
Determine what is economically viable. Make sure cloud providers provide necessary auditing visibility
Others on the phone and chat stated you should map your current policy to what will exist within the cloud. Also answer the question: “How sure are you that services are able to be decoupled from each other?”
My take is really all the above, but there is a desperate need for transparency within the cloud, which also implies we need transparency within virtualization, the underlying layer to the cloud. Cloud Agility implies that a company now needs to determine where their data lives and whether it is actually legal to live there. An example is an European company placing systems in the cloud and suddenly the VM ends up in another country such as the US even temporarily during a ‘cloud-wide’ upgrade. Europe has stiffer privacy laws than the US, so this could be a compliance and regulatory nightmare. Will the Cloud providers protect from such occurrences?
Now that we have some definitions to which nearly everyone can agree, we need to start working on transparency and some form of security guidance and implementations.