@CloudExpo Authors: Liz McMillan, Paul Simmons, Pat Romanski, Yeshim Deniz, Elizabeth White

Related Topics: @CloudExpo

@CloudExpo: Blog Post

Security and Compliance in the Age of Clouds

You can outsource responsibility, but you can’t outsource accountability

At RSA 2009 there were a ton of conversations spun up around the topic of security and compliance in the cloud. First, there were ~20 sessions on cloud security and compliance. I was on one of the panels that focused on cloud security and whether the cloud is secure enough for the enterprises. (Great discussions there and huge thanks to Asheem Chandna of Greylock for organizing it.) Then Cloud Security Alliance released its Guidance for Critical Areas of Focus in Cloud Computing (my initial comments.) 

If you look across all of the regulations and mandates out there, like SOX, PCI, HIPAA, COBIT, ISO, etc etc, they all require essentially two things: transparency and control. Transparency is an absolute must. You need to know who’s accessed what data, when and where, and maybe why based on some documented evidence. That’s why you see big sections in these regulations/mandates requiring audit reports. PCI requirement #10 is a good example of this. (Ok, spare me the discussion on how PCI is useless. It’s not!) Control is also a must but transparency sometimes can be used as a compensating control. For example, a company MUST ensure that no shared IDs are used. Well, sometimes that’s not quite possible. So companies implement monitoring of all access to ensure IDs are not shared. Sometimes auditors will let that pass as a compensating control.

Then if you look at what you need to protect from a high level, at the risk of oversimplification, it generally comes down to data, applications and identity.

Identity information is what attackers are first after in order to penetrate the application and get to the data. This is why Identity and Access Management (IAM) is one of the top 3 security priorities for enterprises (source: Gartner) and they are spending ~11% (~$3B) of their IT security spending on IAM.

Then you have the applications which are being attacked left and right. The web application security market is red hot these days because of the prevalence of SaaS and other type of online applications.

And finally the attackers will get to the data. And there are a ton of different type of data. Data such as personal identifiable information (PII) are extremely valuable to some attackers and can be sold for anywhere between $25 to $100 per. You then have other type of data such as corporate financial information, intellectual properties and others that are invaluable.

What enterprises are looking for, regardless of in the cloud or on premise, are control and transparency on their data, applications and identities. Enterprise customers always need to make sure they are compliant with whatever regulations/mandates they are responsible for. In their own environment, they can do many things (defense-in-depth and other principles) to ensure they are “as compliant as possible.” However, in the cloud, they lose that control. In fact, it’s worse, in most cases, they lose transparency. They have no idea where their data is (in GAE, e.g.), or who’s accessing their info (most clouds), how their data’s protected (most clouds), and what data’s accessed for what reason (most clouds.) GAE is probably the worst offender in this case. During an interview with cloudsecurity.org, their GAE lead essentially said they cannot divulge ANY information around security. AWS is doing a slightly better job now in explaning. Though still, neither AWS nor GAE are providing ANY type of transparency through reports or logs (well, you could kinda get S3 logs.)

So in most cases, it’s not that AWS or GAE are less secure than most enterprise environments. They sometimes are probably more secure. However, the thing that most enterprise IT groups fear are losing control and transparency. They want to extend their audit controls into their cloud environment to ensure they are still compliant. Service providers need to step up to the plate and offer the reports enterprise customers are looking for.

As one of the former customer used to say, “you can outsource responsibility, but you can’t outsource accountability.” At the end of the day, the customer is still accountable for being compliant. If they fail the SOX audit, it’s not the outsourcer’s (or cloud provider’s) CEO that goes to jail. It’s the customer’s CEO.

More Stories By Jian Zhen

Jian Zhen, CISM, CISSP, is the Director of Cloud Solutions at VMware. He is responsible for working with the world’s largest service providers to design cloud infrastructures and platforms, and creating partner ecosystems for the clouds. Previously, he was the VP of Emerging Technologies at LogLogic, the log management and intelligence leader in San Jose, Calif. At LogLogic, he was responsible for the overall vision and strategy of LogLogic’s product lines. Prior to joining LogLogic, he was responsible for developing the Managed Security Services infrastructure for Exodus/Savvis. During his 12+ years career in the information security field, he has performed audits for many Fortune 1000 companies as an IT auditor with Ernst & Young and Charles Schwab. In his spare time, Jian also writes a variety of topics covering cloud computing, IT security, intellectual property protection, and managed services. You can also find him on LinkedIn and Twitter.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
BobP 05/04/09 09:17:00 AM EDT

Totally agree.........FYI, we manaufacture a commercially priced Trustworthy Platform for Preventing Most Network Breaches. 100% backed by Science and 100%y Transparent to any IP or SCADA networks. Clients include the Canadian Govt of Public Safety (DHS), US Navy, US Air Force, a large Metro NY County's Data Centers, etc. Meets OSI-Layer One (patented paradigm), Common Criteria, PCI-DSS, and DARPA 98 Standards. For a while longer we will continue to stay under every one's radar. However, will be pleased to answer any questions. Our only goal is to protect North America's and EU networks only Will partner with all networking OEM's. E-mail:[email protected] .

@CloudExpo Stories
HyperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let's say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., discussed how these tools can be leveraged to develop a lasting competitive advantage ...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
In this presentation, you will learn first hand what works and what doesn't while architecting and deploying OpenStack. Some of the topics will include:- best practices for creating repeatable deployments of OpenStack- multi-site considerations- how to customize OpenStack to integrate with your existing systems and security best practices.
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
"Venafi has a platform that allows you to manage, centralize and automate the complete life cycle of keys and certificates within the organization," explained Gina Osmond, Sr. Field Marketing Manager at Venafi, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"This week we're really focusing on scalability, asset preservation and how do you back up to the cloud and in the cloud with object storage, which is really a new way of attacking dealing with your file, your blocked data, where you put it and how you access it," stated Jeff Greenwald, Senior Director of Market Development at HGST, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
In a world where the internet rules all, where 94% of business buyers conduct online research, and where e-commerce sales are poised to fall between $427 billion and $443 billion by the end of this year, we think it's safe to say that your website is a vital part of your business strategy. Whether you're a B2B company, a local business, or an e-commerce site, digital presence is key to maintain in your drive towards success. Digital Performance will take priority in 2018 for the following reason...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
"Software-defined storage is a big problem in this industry because so many people have different definitions as they see fit to use it," stated Peter McCallum, VP of Datacenter Solutions at FalconStor Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with extensive global expertise as a strategist, technologist, innovator, marketer, and communicator. For over 30 years across five continents, he has built success with Fortune 500 corporations, vendors, governments, and as a leading research analyst and consultant.
"Cloud computing is certainly changing how people consume storage, how they use it, and what they use it for. It's also making people rethink how they architect their environment," stated Brad Winett, Senior Technologist for DDN Storage, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.