SAN FRANCISCO -- RSA Conference 2011 -- Auditors and enterprises alike are trying to sort out what compliance means in diverse and complex cloud environments -- a process that will continue to evolve as organizations figure out what cloud providers should be held accountable for, and how.

“The first FISMA guidance was painful, but the auditors are getting better at what attestation means in the cloud,” said Christopher Day, senior VP of secure information services at Terramark Worldwide, at an RSA panel session called “The Compliant Cloud: Managing Compliance and Attestation for Cloud Services.”

“You’re creating as you go, at some level, with auditors. For FISMA, we had to sit down and write out controls,” said Dennis Morneau, senior technologist, office of CTO, at RSA.

While discussion and concern continues about how to ensure cloud providers are using controls that match those that enterprises are expected to apply internally, the dynamic nature of cloud is problematic.

“There are cloud providers who change code -- enormous chunks of it -- daily,” said panelist Chris Hoff, director of cloud and virtualization solutions at Cisco Systems. “That can change the model of how we expect to gain visibility and what it means. It changes what ‘continuous’ means.”

The rapidly changing environment means overly prescriptive regulations might not be a good approach to security in the cloud. More precise language about virtualization and the cloud would endorse specific approaches and technologies in an environment that doesn’t lend itself to neat categorization or precision.

A rush to prematurely lock in on cloud regulation could be “highly negative,” Morneau said. “You close the loop on effectiveness when you should incent actual security.”

Enterprises can minimize their potential compliance problems by choosing the appropriate environment for their systems and applications.

“What kind of cloud are you talking about?” Day asked. “There are many types; it’s rife with confusion. What are the elements of cloud for this application? What are security requirements?”

“Understand what you want from the provider, and what controls are possible,” advised Steve Orrin, director of security solutions at Intel. “You need to be driven by use case. Do you need a super-secure infrastructure for something that’s not mission-critical?”

The panel cautioned users to take precautions up-front against vendor lock with cloud providers that might not be able to deliver what they promise, either from a security/compliance perspective and/or performance. Sometimes data and applications aren’t portable among clouds. Enterprises should make sure provisions are in place for getting data in and out of a provider engagement. For example, it could be difficult moving an application from platform to another because it is coded to one vendor’s API. Companies should have escape provisions defined in their contracts: How will they get data off the cloud? What are the penalties of not meeting the SLA?

“One size does not fit all. You have to take vendor lock-in into account,” Orrin said. “Once you go down that road, it’s very hard to pull out -- it’s not the provider’s job to enable you to pull out.”

Compliance should be a life-cycle process, rather than an event, whether in the cloud or a physical corporate network, the panelists advised.

“The key is to tie together controls up the stack through a management layer or dashboard or GRC,” Orrin said. “Be able to link controls at the infrastructure layer to the application layer. Maintain trust and verify beyond the initial audit, and make sure it is maintained through the entire life cycle.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.