Risk
9/13/2010
09:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Security And Compliance: Clear The Ambiguity

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.Last month I posted Cloud Audit Gets Real which provides good background about CloudAudit and what the group aims to achieve.

Essentially, CloudAudit provides a common interface and the context around IT controls necessary to automate the auditing of cloud infrastructures to a number of compliance frameworks and regulations. To date, CloudAudit defines compliance "namespaces" for ISO 27002, PCI DSS, COBIT, HIPAA, and NIST 800-53. CloudAudit has also built upon work completed by the Cloud Security Alliance in cross-mapping between compliance framework controls.

George Reese, co-founder and CTO at cloud infrastructure management provider enStratus, who also has worked closely on the development of CloudAudit, and I recently spoke about enStratus having adopted CloudAudit.

Initially, Reese explains, enStratus became involved with CloudAudit because of the how it could help further better governance in the cloud. In addition, should CloudAudit take root and grow in the IT industry, it could have profound benefits for both the cloud providers and the enterprise consumers of cloud services. Here's how he summed one of the greatest pain points CloudAudit helps to alleviate:

As a cloud provider, enStratus has to constantly undergo different kinds of audits from our customers. Each audit is different, and even if they're auditing for the same thing, each customer asks the same questions in different ways: it's just not economical.

No doubt. And how have cloud providers typically responded to this condition? As one might expect: they've bunkered down and they've become black boxes by avoiding real transparency. They don't reveal details about their governance efforts and security controls. What CloudAudit does, should it be successful, is make it easier at a much lower cost to make IT controls transparent to whoever asks. Providers can publish their answers to the CloudAudit questions in a standard format that is readable by auditors and, one day, automated programs. For example, here is a copy of enStratus' CSA CloudAudit assertions.

"CloudAudit makes it easier for customers to understand the governance environment on which they are thinking of operating," explained Reese.

While anyone could populate those assertions with any responses they'd like, authenticated customers or prospects can go log-in and see supporting audit and control documentation - such as the results of a vulnerability assessment, or something as simple as statements of the policies and procedures in place.

Eventually, Reese explains, cloud providers and management companies could be able to use CloudAudit to help better manage their customers data. "Consider a company that has data that is subject to European privacy laws. enStratus would be able to query the different cloud providers a customer has accounts with and make certain that data never leaves Europe," Reese said. "Through the API we will be able to understand the requirements of the end customer as well as the response to our queries from the cloud provider," he says.

CloudAudit was also recently submitted to the Internet Engineering Task Force. The IETF submission is available here.

I hope that we will see more cloud management companies and providers back CloudAudit. Because cloud providers, most especially public cloud providers, need to provide much more transparency into their controls if they're to be taken serious by customers who value insight into how their data is secured or operate in highly regulated industries.

And, unlike today, should CloudAudit take off there would be no justifiable reason for cloud providers not to be transparent.

For my security and technology observations throughout the day, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.