Risk
9/13/2010
09:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Security And Compliance: Clear The Ambiguity

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.Last month I posted Cloud Audit Gets Real which provides good background about CloudAudit and what the group aims to achieve.

Essentially, CloudAudit provides a common interface and the context around IT controls necessary to automate the auditing of cloud infrastructures to a number of compliance frameworks and regulations. To date, CloudAudit defines compliance "namespaces" for ISO 27002, PCI DSS, COBIT, HIPAA, and NIST 800-53. CloudAudit has also built upon work completed by the Cloud Security Alliance in cross-mapping between compliance framework controls.

George Reese, co-founder and CTO at cloud infrastructure management provider enStratus, who also has worked closely on the development of CloudAudit, and I recently spoke about enStratus having adopted CloudAudit.

Initially, Reese explains, enStratus became involved with CloudAudit because of the how it could help further better governance in the cloud. In addition, should CloudAudit take root and grow in the IT industry, it could have profound benefits for both the cloud providers and the enterprise consumers of cloud services. Here's how he summed one of the greatest pain points CloudAudit helps to alleviate:

As a cloud provider, enStratus has to constantly undergo different kinds of audits from our customers. Each audit is different, and even if they're auditing for the same thing, each customer asks the same questions in different ways: it's just not economical.

No doubt. And how have cloud providers typically responded to this condition? As one might expect: they've bunkered down and they've become black boxes by avoiding real transparency. They don't reveal details about their governance efforts and security controls. What CloudAudit does, should it be successful, is make it easier at a much lower cost to make IT controls transparent to whoever asks. Providers can publish their answers to the CloudAudit questions in a standard format that is readable by auditors and, one day, automated programs. For example, here is a copy of enStratus' CSA CloudAudit assertions.

"CloudAudit makes it easier for customers to understand the governance environment on which they are thinking of operating," explained Reese.

While anyone could populate those assertions with any responses they'd like, authenticated customers or prospects can go log-in and see supporting audit and control documentation - such as the results of a vulnerability assessment, or something as simple as statements of the policies and procedures in place.

Eventually, Reese explains, cloud providers and management companies could be able to use CloudAudit to help better manage their customers data. "Consider a company that has data that is subject to European privacy laws. enStratus would be able to query the different cloud providers a customer has accounts with and make certain that data never leaves Europe," Reese said. "Through the API we will be able to understand the requirements of the end customer as well as the response to our queries from the cloud provider," he says.

CloudAudit was also recently submitted to the Internet Engineering Task Force. The IETF submission is available here.

I hope that we will see more cloud management companies and providers back CloudAudit. Because cloud providers, most especially public cloud providers, need to provide much more transparency into their controls if they're to be taken serious by customers who value insight into how their data is secured or operate in highly regulated industries.

And, unlike today, should CloudAudit take off there would be no justifiable reason for cloud providers not to be transparent.

For my security and technology observations throughout the day, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.