Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/13/2010
09:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Security And Compliance: Clear The Ambiguity

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.

The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.Last month I posted Cloud Audit Gets Real which provides good background about CloudAudit and what the group aims to achieve.

Essentially, CloudAudit provides a common interface and the context around IT controls necessary to automate the auditing of cloud infrastructures to a number of compliance frameworks and regulations. To date, CloudAudit defines compliance "namespaces" for ISO 27002, PCI DSS, COBIT, HIPAA, and NIST 800-53. CloudAudit has also built upon work completed by the Cloud Security Alliance in cross-mapping between compliance framework controls.

George Reese, co-founder and CTO at cloud infrastructure management provider enStratus, who also has worked closely on the development of CloudAudit, and I recently spoke about enStratus having adopted CloudAudit.

Initially, Reese explains, enStratus became involved with CloudAudit because of the how it could help further better governance in the cloud. In addition, should CloudAudit take root and grow in the IT industry, it could have profound benefits for both the cloud providers and the enterprise consumers of cloud services. Here's how he summed one of the greatest pain points CloudAudit helps to alleviate:

As a cloud provider, enStratus has to constantly undergo different kinds of audits from our customers. Each audit is different, and even if they're auditing for the same thing, each customer asks the same questions in different ways: it's just not economical.

No doubt. And how have cloud providers typically responded to this condition? As one might expect: they've bunkered down and they've become black boxes by avoiding real transparency. They don't reveal details about their governance efforts and security controls. What CloudAudit does, should it be successful, is make it easier at a much lower cost to make IT controls transparent to whoever asks. Providers can publish their answers to the CloudAudit questions in a standard format that is readable by auditors and, one day, automated programs. For example, here is a copy of enStratus' CSA CloudAudit assertions.

"CloudAudit makes it easier for customers to understand the governance environment on which they are thinking of operating," explained Reese.

While anyone could populate those assertions with any responses they'd like, authenticated customers or prospects can go log-in and see supporting audit and control documentation - such as the results of a vulnerability assessment, or something as simple as statements of the policies and procedures in place.

Eventually, Reese explains, cloud providers and management companies could be able to use CloudAudit to help better manage their customers data. "Consider a company that has data that is subject to European privacy laws. enStratus would be able to query the different cloud providers a customer has accounts with and make certain that data never leaves Europe," Reese said. "Through the API we will be able to understand the requirements of the end customer as well as the response to our queries from the cloud provider," he says.

CloudAudit was also recently submitted to the Internet Engineering Task Force. The IETF submission is available here.

I hope that we will see more cloud management companies and providers back CloudAudit. Because cloud providers, most especially public cloud providers, need to provide much more transparency into their controls if they're to be taken serious by customers who value insight into how their data is secured or operate in highly regulated industries.

And, unlike today, should CloudAudit take off there would be no justifiable reason for cloud providers not to be transparent.

For my security and technology observations throughout the day, consider following me on Twitter.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.