Risk
9/13/2010
09:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Security And Compliance: Clear The Ambiguity

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.Last month I posted Cloud Audit Gets Real which provides good background about CloudAudit and what the group aims to achieve.

Essentially, CloudAudit provides a common interface and the context around IT controls necessary to automate the auditing of cloud infrastructures to a number of compliance frameworks and regulations. To date, CloudAudit defines compliance "namespaces" for ISO 27002, PCI DSS, COBIT, HIPAA, and NIST 800-53. CloudAudit has also built upon work completed by the Cloud Security Alliance in cross-mapping between compliance framework controls.

George Reese, co-founder and CTO at cloud infrastructure management provider enStratus, who also has worked closely on the development of CloudAudit, and I recently spoke about enStratus having adopted CloudAudit.

Initially, Reese explains, enStratus became involved with CloudAudit because of the how it could help further better governance in the cloud. In addition, should CloudAudit take root and grow in the IT industry, it could have profound benefits for both the cloud providers and the enterprise consumers of cloud services. Here's how he summed one of the greatest pain points CloudAudit helps to alleviate:

As a cloud provider, enStratus has to constantly undergo different kinds of audits from our customers. Each audit is different, and even if they're auditing for the same thing, each customer asks the same questions in different ways: it's just not economical.

No doubt. And how have cloud providers typically responded to this condition? As one might expect: they've bunkered down and they've become black boxes by avoiding real transparency. They don't reveal details about their governance efforts and security controls. What CloudAudit does, should it be successful, is make it easier at a much lower cost to make IT controls transparent to whoever asks. Providers can publish their answers to the CloudAudit questions in a standard format that is readable by auditors and, one day, automated programs. For example, here is a copy of enStratus' CSA CloudAudit assertions.

"CloudAudit makes it easier for customers to understand the governance environment on which they are thinking of operating," explained Reese.

While anyone could populate those assertions with any responses they'd like, authenticated customers or prospects can go log-in and see supporting audit and control documentation - such as the results of a vulnerability assessment, or something as simple as statements of the policies and procedures in place.

Eventually, Reese explains, cloud providers and management companies could be able to use CloudAudit to help better manage their customers data. "Consider a company that has data that is subject to European privacy laws. enStratus would be able to query the different cloud providers a customer has accounts with and make certain that data never leaves Europe," Reese said. "Through the API we will be able to understand the requirements of the end customer as well as the response to our queries from the cloud provider," he says.

CloudAudit was also recently submitted to the Internet Engineering Task Force. The IETF submission is available here.

I hope that we will see more cloud management companies and providers back CloudAudit. Because cloud providers, most especially public cloud providers, need to provide much more transparency into their controls if they're to be taken serious by customers who value insight into how their data is secured or operate in highly regulated industries.

And, unlike today, should CloudAudit take off there would be no justifiable reason for cloud providers not to be transparent.

For my security and technology observations throughout the day, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.