I have written about the Public Cloud Reality and the need to bring your own security, monitoring, support. This was reinforced by Dave Asprey of Trend Micro at the last Cloud Security Alliance Summit held at this years RSA Conference. The gist of Dave Asprey’s talk was that YOU are responsible for the security of your data, not the cloud service provider. Unfortunately, this sort of discussion often devolves into one of shared vs tenant responsibility, the type of data, etc. It will also devolve into a legal discussion just as quickly. Unfortunately, all this does is point fingers. The long and the short of this discussion is about two items often mixed as one.
The two items are what the cloud service provider will provide and what they will not. In effect, the discussion is more about Service Level Agreements (SLAs) than technology. But ignoring SLAs, Contracts, etc. There are two sides of this discussion.
Cloud Service Provider
The Cloud Service Provider (CSP) provides some form of portal into which you will put your name, contact information, and perhaps a credit card. This information, if personal information and not corporate information could be considered personal identifiable information (PII). And since there is credit card information involved, the CSP systems involved in the payment transaction MUST meet PCI compliance. Let me repeat this one as it is extremely important:
The CSP systems involved in the payment transaction….
In other words, only those systems touched by the payment transaction you make with a CSP is in SCOPE for a PCI Compliance audit. This does not imply that your systems are PCI Compliant as they are most likely out of scope for such an audit. PCI Compliance audits is all about what is considered in scope. In almost all cases, your virtual machines, networks, work loads, and virtualization hosts will be out of scope. In some cases even the portal you use to manage those systems will also be out of scope. This is the public cloud reality and often not discussed.
Given that scope is a huge issue with a PCI audit, do not assume that a PCI Compliance cloud refers to your own workloads, systems, etc. It does not. If you do payment transactions inside your own systems within a Cloud, you are responsible for the audit as they are generally out of scope for a Cloud PCI audit.
Now PCI Compliance has recently changed. If you are working at a CSP or with a CSP, you may want to reread the latest guidance. This guidance was the main point behind Dave Asprey’s talk. Which basically says that the data owner is responsible for passing a PCI Audit.
The tenant side of this picture is really quite easy to visualize and understand but a little more difficult to implement without help from the cloud service provider.
The tenant is responsible for all compliance and security implementations.
But what does that mean? If we refer to the Hybrid Cloud Reference Architecture, you will note there are four types of systems involved: Clouds that Provide Shared Security services, Clouds that do not provide shared security services, storage clouds, and your physical and virtual data centers.
In each case implementations of security are distinctly different, yet you as the tenant are ultimately responsible for compliance and if you are responsible for compliance you are responsible for security.
Now you can see this article has devolved into a discussion of The Law and it has to today because each country, state, commonwealth, and region has its own. When we cross country borders we need to be concerned about treaties and such. Here is where you can easily partner with your Cloud Service Provider however, if you are part of a large multi-national, there is a good chance this is covered by your own legal team already. I would start there myself.
Not the End, Just the Beginning
Assuming you are responsible for your own data is an easy way to look at the cloud today and into the foreseeable future as legislation would need to catch up to today’s problems, and we all know this is far behind. However, even with legislation there will be loop holes, etc.
So what do you do?
Treat a cloud as an extension of your existing data center and impose upon it your own security policy and procedures. This is true for Infrastructure and Platform as a Service. You are limited by what the cloud provides for Software as a Service, so pick clouds that meet your security and data protection requirements. If you are in a cloud that does not meet them, put in software or procedures that will meet them. If your data needs to be encrypted, then either encrypt it before you enter the cloud (CipherCloud, Voltage Security) or encrypt it while in the Cloud (Vormetric, AFORE, High Cloud Security). If your backup policy implies you should maintain a copy of your cloud data elsewhere (since we are treating it as our datacenter) then find a way to copy your data from the Cloud to meet your policy (nearly every SaaS provides this for an extra fee) and you have complete control using the other tools.
The public cloud reality is, ultimately, the data owner is responsible for the data protection, security, and compliance. Dave Asprey of Trend Micro reinforced this concept at the CSA Summit.