Getting Started With Cloud Compliance

  /     /     /  
Publicated : 22/11/2024   Category : security


Getting Started With Cloud Compliance


All of the same compliance rules still apply in the cloud



Security teams looking for a magic solution to make their cloud environments compliant with security regulations would be just as satisfied with their search as they would in a hunt for Santa or the Easter Bunny: There is none, just as there isnt a silver bullet for compliance in any other IT environment. As with on-premise solutions, compliance in the cloud takes hard work and a lot of planning.
Ive got a real simple one-liner if were talking compliance in the cloud, says Walt Conway, a qualified security assessor and consultant for 403 Labs. At its basic level, it doesnt matter -- the same rules apply.
Of course, Conway says, where things get tricky is that the context of compliance changes when a third-partys actions could determine whether you get flagged by an auditor or a qualified security assessor (QSA). Thats why any cloud compliance initiative should start with a simple planning spreadsheet, he says.
In the first column you write every single regime requirement -- PCI, HIPAA, FISMA, whatever -- and you line them up. In the column next to it you write, Am I doing it? Next to that, Is the provider responsible for it? and next to that, Is it shared? Conway says. Then you start going through there and filling it out. Until you finish that, youve got no business doing anything else.
This determination of responsibility is key, as it will give a clear path to understand how to get your own house in order to comply within the cloud and what to ask for from cloud providers.
For example, in the cloud the underlying cloud infrastructure, its architecture, its maintenance, and its redundancy [are] clearly the responsibility of the provider; likewise, the application [in many cases] and all of the data maintenance [are] clearly the responsibility of the customer, says Allen Allison, chief security officer for NaviSite. However, how an organization assigns roles and responsibilities for everything in between and assigns responsibility for the ongoing compliance of those roles and responsibilities is extremely important to the ongoing management of the compliance program.
Making Sure Your Own House is in Order
So many compliance best practices revolve around solid network segmentation to reduce scope of compliance and focus the most stringent security measures on the assets that really matter. One of the reasons why cloud compliance is so difficult is the architecture of cloud computing and virtualization environments tends to wreak havoc on efforts to segment network and data assets.
What we have encountered ... is that people get excited about getting virtualization in their environment or going out and using a cloud service provider, and they didnt really stop and think through all of the implications, says Ken Biery, principal consultant of the cloud security services team for Verizon. We all understand the concept of in-scope and out-of-scope systems, and the challenge is if you had the virtualized environment and in it you had some in-scope systems and you had some out-of-scope systems or kind of a mixed-mode environment, then youre going to be more challenged to convince your QSA that you truly isolated that environment or segmented it appropriately.
This is where a lot of hard work in the planning and design phase comes in, Biery says. Organizations that simply throw a bunch of IT resources onto the cloud to save a buck -- without thinking about which are sensitive and which are not, and without planning for segmentation and proper measures -- will end up paying in the long run.
Its like anything else: If you take the time to do the design up front, you usually save a lot of headaches and complications down the road, he says, explaining that the most successful companies are taking the time to look at regulated data, like health care, payment card, or personnel information, and creating individual virtualized cloud segments for them. You may want to have this pod or virtualized farm -- weve used both terms -- where you create this segmented, isolated environment where it discretely contains those areas that are sensitive, and you can obviously set it up in such a way that you keep the right controls [over them].
Similarly, as Conway stated, best practices over those virtual machines all apply. Systems need to be patched and monitored accordingly.
Looking At Providers
When determining whether a provider can offer enough measures on their end to keep you compliant, transparency is the name of the game.
Can you be compliant in the cloud? Yes -- no question you can, Conway says. But the context is such that certain parts of it are going to be difficult because, for example, of things like pen testing. [Cloud providers are] not going to let you pen-test their infrastructure.
He says as an assessor, one of his biggest frustrations is hearing trust me from cloud providers about things like log reviews, when they claim they are not able to open the kimono because of the shared environment.
Youre going to have challenges with compliance if a provider is playing battleship with you, Conway says, explaining that once you lay out the spreadsheet detailing responsibility, you have to work with a provider that can collaborate with you to create SLAs and prove theyve met the requirements theyre responsible for. So its getting into the details of who does what and how you validate. Ive seen providers do it, and when they do, its great.
It can be done, it just takes more work, he adds.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Getting Started With Cloud Compliance