Security Compliance in a Cloud

Monday, April 19, 2010

Mark Gardner


As this is my first time posting on Infosec Island, I want to begin with a short bio.

I live and work in the UK as an ISO 27001 Lead Auditor. I complete Internal Audits, Partner Risk Assessments, and have responsibilities with regard to Security Awareness and Education as well as Security Incident Management.

I think it's fair to assume that over the coming weeks and months, these are all subjects that I will touch upon through this blog.

For this inaugural post I have decided to tackle, what I perceive to be one of the biggest conundrums within the growth area of Cloud Computing, Security Compliance.

I use the term conundrum, not that I believe for one second that Cloud Computing does not need Security and some form of compliance, far from it, but that suddenly these seem to have become show stopping issues for the uptake of cloud solutions.

Why I believe this is a conundrum is that ultimately, when a private cloud solution is broken down to its constituent parts, it is still a server hosting an app, or storage or both, being accessed via a Network. Whilst not identical to a "traditional" enterprise set up there are similarities.

The main difference of course, is that generally, you do not host your own data, you hand that responsibility to your service provider. However, if you think about your own company enterprise for a moment, can you state exactly where each piece of data is held? Be it your fundamental customer data and applications or your company intranet? My guess, with all due respect, certainly in large corporations, is probably not.

As basic steps you would wish to have Access Control on your servers, physical security of the Data Centre, Network Security both internally and externally for your customers to access their data, as well as any other aspects to make sure that Data Privacy is protected.Should these practices differ dependant on where your infrastructure is held?

Undertaking a full risk assessment of the infrastructure, and assessing the solutions against the control set outlined in ISO/IEC 27001:2005 would make sure that you cover any security concerns, including third-party management, which is vital in the Cloud Computing space.Whilst Cloud Computing is new, I do not believe that from a security compliance perspective the wheel needs to be reinvented. There are existing frameworks and standards that will cover the new technologies if applied correctly.

Possibly Related Articles:
Cloud Security
Cloud Security
Post Rating I Like this!
Osvaldo Baratela Mark, congratulation for your first post!
I agree with you about the security aspect only can not be show stopping for the uptake cloud solutions,
but the question is: Who will assume the risk, in the cloud environment, in case of problem or disaster, the customer or third-party?
Mark Gardner Osvaldo, thank you for your kind words. In my opinion, this is the real showstopper to cloud adoption and I don't think there's a right or wrong answer. I think it's one for the contract lawyers!
Aaron Simmons Mark, I agree with the concerns of Security in regards to "Cloud Computing". However, beyond asking your ISP if they are ISO 2700x certified, (there are NONE in North America) you need to be looking at EXACTLY how they have created the "Cloud" environment that your services will be operating in!
Mark Gardner Aaron thank you for your comment. We agree - I don't and wouldn't ever advocate just asking for their 27001 status.
Fred Williams In the cloud arena, the customer assumes most of the risk. If you go with the public standard click wrap offering, the terms and conditions usually state that the cloud provider is not liable for lost data, availability, can store your data anywhere and can go out of business at any time.
Nick O'Neil Cloud vendors (hosting providers) should act as a trusted advisor in leveraging the right technology to provide customers with the experience and not compromise security. Often times we see that the price wars sacrifice the integrity of a customers business in terms of security. hopefully with the proper education and new definitions to cloud computing terms like Compliant Cloud, Hybrid Cloud, infiniCloud or others will be more established. Companies like Rackspace, Amazon, Logicworks are provide a direct link to the appropriate cloud offering or where needed having a account manager relation to help comply with the needs of an organization in the cloud.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.