As annoyed as people are with the “over hyped” nature of cloud discussion (see “What’s the most over-hyped issue in security? (Hint: it’s white and fluffy”), it’s still an insanely popular subject for which people still want to know how do we get compliance from the cloud?
On the panel discussion this topic were:
- Steve Orrin, Intel Corporation
- Dennis Morreau, RSA, The Security Division of EMC
- Christopher Day, Terremark Worldwide, Inc.
- Chris Hoff, Cisco Systems
- Moderator: Sam Curry, RSA, The Security Division of EMC
Here are some of the issues that came out of the discussion:
- There are 20 different types/definitions of “clouds.”
- Visibility and transparency are the two most important things that we should be asking service providers. You have to care how things work with your cloud provider.
- Need to tie the controls from the infrastructure all the way up to the cloud stack. Be able to have a comprehensive story of compliance.
- When you go to cloud you’ve decided to outsource a certain level of security. Because of that, you want to create visibility and accountability. You need data to be seen over time and in context.
- Can we have an easier to govern private cloud rather than the general public cloud?
- What are the requirements of your service provider? Not all clouds are created equal. You’re going to want a certain level of diligence. It’ll come down to the SLA you create with the cloud provider.
- There isn’t a finish line. Your compliance requirements change year over year. It is the cloud’s flexibility that makes it so attractive to adapt to ever changing compliance issues. The cloud’s ability to be better at security is that it can be more aligned to those dynamic changes that are needed over time.
- Regulations and compliance does not equal security. Everyone agreed with that statement.
- One way to get people over that basic fear of the cloud is to get deep visibility all the way into the hardware, and be able to communicate that up the stack, so you can audit.
- You don’t necessarily need to see the hardware though. But you do want to see the patches and when they’re being updated. What you want to see varies greatly customer to customer.
- Precision of language around “cloud” is constantly changing. Hoff saw one case where “continuous” meant “monthly.”
- Companies are failing compliance in the cloud because they don’t have the right controls in place with their cloud provider.
- Not everyone needs the same level of security in the cloud. The cloud can be very bumpy with different customers requiring different security controls all within the same cloud.
- What’s the currency between your need and how fast a policy change can be implemented?
- Different disciplines of security (e.g., information security, application security, storage security) have different requirements and different tools to fill those requirements.
- At Terremark they expose certain data to the customer. With Amazon, those visibility services are simply not available. When you choose a cloud provider, you need to know what visibility you’re getting.
- We have a long journey ahead of us and there’s no finish line.