"I've got a real simple one-liner if we're talking compliance in the cloud," says Walt Conway, a qualified security assessor and consultant for 403 Labs. "At its basic level, it doesn't matter -- the same rules apply."
Of course, Conway says, where things get tricky is that the context of compliance changes when a third-party's actions could determine whether you get flagged by an auditor or a qualified security assessor (QSA). That's why any cloud compliance initiative should start with a simple planning spreadsheet, he says.
"In the first column you write every single regime requirement -- PCI, HIPAA, FISMA, whatever -- and you line them up. In the column next to it you write, 'Am I doing it? Next to that, 'Is the provider responsible for it?' and next to that, 'Is it shared?'" Conway says. "Then you start going through there and filling it out. Until you finish that, you've got no business doing anything else."
This determination of responsibility is key, as it will give a clear path to understand how to get your own house in order to comply within the cloud and what to ask for from cloud providers.
"For example, in the cloud the underlying cloud infrastructure, its architecture, its maintenance, and its redundancy [are] clearly the responsibility of the provider; likewise, the application [in many cases] and all of the data maintenance [are] clearly the responsibility of the customer," says Allen Allison, chief security officer for NaviSite. "However, how an organization assigns roles and responsibilities for everything in between and assigns responsibility for the ongoing compliance of those roles and responsibilities is extremely important to the ongoing management of the compliance program."
Making Sure Your Own House is in Order
So many compliance best practices revolve around solid network segmentation to reduce scope of compliance and focus the most stringent security measures on the assets that really matter. One of the reasons why cloud compliance is so difficult is the architecture of cloud computing and virtualization environments tends to wreak havoc on efforts to segment network and data assets.
"What we have encountered ... is that people get excited about getting virtualization in their environment or going out and using a cloud service provider, and they didn't really stop and think through all of the implications," says Ken Biery, principal consultant of the cloud security services team for Verizon. "We all understand the concept of in-scope and out-of-scope systems, and the challenge is if you had the virtualized environment and in it you had some in-scope systems and you had some out-of-scope systems or kind of a mixed-mode environment, then you're going to be more challenged to convince your QSA that you truly isolated that environment or segmented it appropriately."
This is where a lot of hard work in the planning and design phase comes in, Biery says. Organizations that simply throw a bunch of IT resources onto the cloud to save a buck -- without thinking about which are sensitive and which are not, and without planning for segmentation and proper measures -- will end up paying in the long run.
"It's like anything else: If you take the time to do the design up front, you usually save a lot of headaches and complications down the road," he says, explaining that the most successful companies are taking the time to look at regulated data, like health care, payment card, or personnel information, and creating individual virtualized cloud segments for them. "You may want to have this 'pod' or 'virtualized farm' -- we've used both terms -- where you create this segmented, isolated environment where it discretely contains those areas that are sensitive, and you can obviously set it up in such a way that you keep the right controls [over them]."
Similarly, as Conway stated, best practices over those virtual machines all apply. Systems need to be patched and monitored accordingly.
Looking At Providers
When determining whether a provider can offer enough measures on their end to keep you compliant, transparency is the name of the game.
"Can you be compliant in the cloud? Yes -- no question you can," Conway says. "But the context is such that certain parts of it are going to be difficult because, for example, of things like pen testing. [Cloud providers are] not going to let you pen-test their infrastructure."
He says as an assessor, one of his biggest frustrations is hearing "trust me" from cloud providers about things like log reviews, when they claim they are not able to open the kimono because of the shared environment.
"You're going to have challenges with compliance if a provider is playing battleship with you," Conway says, explaining that once you lay out the spreadsheet detailing responsibility, you have to work with a provider that can collaborate with you to create SLAs and prove they've met the requirements they're responsible for. "So it's getting into the details of who does what and how you validate. I've seen providers do it, and when they do, it's great.
"It can be done, it just takes more work," he adds.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.