Cloud // Infrastructure as a Service
News
8/28/2013
05:55 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Cloud Security: Why Auditors Are Part Of The Problem

IT must face the hard reality that compliance rules are stuck in the past -- and forge ahead anyway. Here's how.

InformationWeek Green -  Sept 2, 2013 InformationWeek Green
Download the entire September 2, 2013, issue of InformationWeek, distributed in an all-digital format (registration required).


Audit Fail

What your CISO says when asked about moving a server to the public cloud: "No way -- we'll lose control of a mission-critical application." What she's really thinking: "No way -- it'll make my life a living hell during security audits."

And in fact, that's one of the few perfectly rational security-related reasons to shy away from the cloud. Audits become much more stringent -- and much more work to pass -- if you're using a third party for any kind of data storage or manipulation. Security auditors don't distinguish between the controls at a well-run on-premises data center and the security at, say, an Amazon Web Services or Rackspace data center, even though that difference is usually massive. In the most extreme cases, we're talking a keypad lock and someone casually perusing logs versus military-grade perimeters, data integrity monitoring, maybe even guys with M16s. Consider Terremark's entry in our IaaS Buyer's Guide: Run your server in its center and you get an SSAE 16-certified facility listed with the Cloud Security Alliance Security, Trust and Assurance Registry (STAR) that's compliant with both FIPS 140-2 and PCI DSS Level 1.

But will that level of security earn you any points with an auditor? Nope, even though the providers themselves are subject to relentless scrutiny.

"The level of inspection going into public cloud providers -- eight to 15 audits per year -- is significantly higher than into an individual organization, which would usually see a handful at most," says Matt Gyde, group general manager of security at service provider Dimension Data.

Report Cover
Our report on cloud security and risk is free with registration

This report includes 31 pages of action-oriented analysis, packed with 26 charts. What you'll find:
  • Processes for ongoing assessments of cloud providers
  • Who’s responsible for deciding if a provider makes the grade?
Get This And All Our Reports

Furthermore, most security audits impose a fairly stiff penalty, in terms of additional paperwork and diligence required, on companies that use vendors rather than hire additional staff for a given task. Generally, as long as your company does criminal background checks, auditors give your employees the benefit of the doubt. Vendors, however, are treated like common criminals by default; IT organizations must prove their innocence for pages and pages. Amazon matches the criminal background check standard, plus it requires employees to explicitly request access to all AWS cloud components through a ticketing system. It reviews accounts every 90 days or when a job function changes. The default is explicit reapproval, or access is automatically revoked. How many private data centers have that level of control?

Dave Frymier, CISO at IT services vendor Unisys, says he deals frequently with customers that want to move to the public cloud but are running into problems with their auditors. At some point, we'll get to a place where auditors focus on what matters -- things like identity management and who has privileged access -- rather than where data lives. Consensus on how to use the public cloud securely, especially via efforts led by the federal government, will also drive significant changes in how public cloud security is judged.

But we're not there yet, and at the end of the day, companies must pass their security audits.

To read the rest of the article,
download the September 2, 2013, issue of InformationWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Laurianne
50%
50%
Laurianne,
User Rank: Author
9/3/2013 | 7:24:12 PM
re: Cloud Security: Why Auditors Are Part Of The Problem
Early adopters of virtualization were often told the question of compliance (for example, PCI compliance) would come down to the knowledge of the individual auditor. Does anyone have specific experiences to share along those lines regarding a cloud audit?
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
9/3/2013 | 3:13:56 PM
re: Cloud Security: Why Auditors Are Part Of The Problem
Good article. Came across an interesting take on cloud security
that might interest a few readers http://mcgladrey.com/Risk-Advisory-Services/Cloud-risks-Striking-a-balance-between-savings-and-security
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.