- Image via Wikipedia
Ellen Messmer over on CSOOnline had a great article up this week entitled “secrecy of cloud computing providers raises IT security risks“. Ellen does an excellent job describing how cloud providers being vague and obscure about their security policies, process and practices are not doing themselves or their customers any favors. As I have written before, I believe that the cloud is not going to wait for everyone to agree on how to secure it. But that being said, cloud providers who want to gain an advantage on their competitors would be wise to head the lessons in this article.
I thought my friend Andreas Antonopoulos, from Nemertes Research said it well. From the article:
“If your service provider won’t give you information about security processes and plans in order to do what’s necessary, you shouldn’t trust that provider,” said Andreas Antonopoulos, an analyst with Nemertes Research.
The old idea of “security by obscurity,” which suggests you can defend your security position best by keeping mum about everything, is misguided, he said. “It doesn’t work. There’s always someone who knows,” Antonpoulos said. If you hear someone try to get your business by uttering that phrase, “run far and fast.”
I agree wholeheartedly. Securing the cloud is far from perfect today. But then again securing anything is far from perfect. But as Ellen says in her article and is echoed by both analysts and customers, waving a SAS70 audit or a PCI audit is not securing the cloud. As John Pescatore of Gartner said in the article, “SAS-70 certification of any public cloud provider may be considered adequate for some customers, and not others. “SAS-70 is pretty meaningless from a security level, but it makes auditors happy.”
That is so true. I have seen not only cloud providers but even managed security providers hide behind the shield of their SAS70 audit. It is just not enough frankly. You really need to peel the onion back deeper than that.
Also if your cloud provider will not even tell you where your data is kept, I would not be real comfortable with that provider. But Google does exactly that and contends that makes you more secure.
I don’t buy this and either should you. The cloud represents a great way to have economical, scalable infrastructure and platforms that you could not afford to build yourself. But you have a right to ask your cloud provider what they are doing, how they do it and what is their security strategy. If it is security by obscurity, maybe you should look for another provider.
Related articles by Zemanta
- Myths of Cloud Security (flyingpenguin.com)
- Secrecy of cloud computing providers raises IT security risks (sfgate.com)
- Gartner Global IT Council for Cloud Services Outlines Rights and Responsibilities for Cloud Computing Services (eon.businesswire.com)
- Gartner walks into SAS 70 SNAFU – or does it? (zdnet.com)
- With Azure, Microsoft Seeks a New Place in the Cloud (dailyfinance.com)
- The challenges of cloud security (networkworld.com)
{ 4 comments… read them below or add one }
Pssst.
http://www.CloudAudit.org
Might want to check the list of contributing parties. Some of them are mentioned in that article.
Sort of an interesting result when you type the words 'Cloud' and 'Audit' into Google
/Hoff
Oh, no, it’s the Big Bad Hoff. He will Hoff and he will Poff…
He raises an interesting question. Should pigs buy their home design from Wolves?
Where is the org of people dedicated to audit independence? The CloudAudit link has a list of companies selling product who obviously have conflict-of-interest.
CSC, Enstratus, Arctec, Akamai, Microsoft, VMware, Google, Orchestratus, Unisys, Amazon Web Services, Savvis, Terremark, Rackspace, CloudScaling, Cisco…
Why search Google for the word cloud and audit? This is not a popularity contest; membership and marketing is not what makes audit work. You might realize by now the cloud does not change audit. Ask an auditor, instead of a cloud vendor. In other words do a search for discipline, integrity or independence from bias. You can apply those in the clouds all the way to the bank.
Just a couple of points in response:
1) CloudAudit isn't a product, it's a methodology that allows providers to automate the gathering and presentation of audit artifacts and data as well as consumers (customers, auditors, cloud brokers) to gather the same. It does this by standardizing on audit compliance frameworks and creating a common set of interfaces and namespaces to organize the data.
The consumers of this information are primarily audit. CloudAudit is not designed to replace and auditor or auditing function but rather automate the gathering of supporting materials that allow auditors to spend their time auditing versus data gathering.
2) The reason those companies are listed as participating is because they have a need to understand how CloudAudit will help them deal with the increasing audit pressures beyond furnishing a SAS-70 as well as understand what CloudAudit means to them operationally.
Those listed are the providers who are contributing because it shows their interest and support in solving this problem; there are over 300 people who have joined the community, many of them auditors, consultants, and customers.
3) The project's namespaces are built on the Cloud Security Alliance's Control Matrix Mapping project which we use to build the namespaces. We're a partner organization of the CSA as well as many others in the business of providing guidance to the security and audit community.
4) We have regular discussions with organizations such as ISACA who state the need for methodologies that satisfy the changing needs of audit that Cloud Computing brings; compliance and audit limitations are a huge barrier to entry for companies (both providers and consumers) now. Since organizations like ISACA recognize the impact virtualization and Cloud have on audit, it's at odds with your PoV.)
It's certainly at odds with the QSA's, auditors and risk/compliance managers we have working on the project; many of them leading various efforts.
The following statement shows you haven't spent much time in the Cloud space: " You might realize by now the cloud does not change audit. Ask an auditor, instead of a cloud vendor."
^^^ We have, we do.
For whatever reason, you're clearly bitter and have a bone to pick with me. Secondly, it's pretty clear you don't understand what CloudAudit is, who works on it, the fact that the team's work was submitted to the IETF as an RFC and all the work is open and anyone can join.
/Hoff
BigBadRidingHood: it's not that Hoff is infallible or never wrong (caja china != bbq, for starters), but he is 100% right here. While the Cloud Security Alliance guidance suffers because it encompasses feedback from way too many self-interested parties and a large number of security practitioners worried about their future job prospects, I have not seen the same from CloudAudit. At least not yet.
CloudAudit effort has nothing at all to do with your choice of auditor. It provides a an automated and standard path for attestation of compliance, which will hopefully eliminate the need for every cloud customer to insert a right to audit clause in their contract so they have a green light to torture their cloud provider's staff for a few weeks a year. Cloud providers should be transparent in terms of architecture, operational state and security. CloudAudit allows them to do the latter without breaking their economic model.
My personal opinion (nothing at all to do with CloudAudit) is that selecting an auditor based on their supposed "independence", rather than cloud clue is sheer lunacy. Technology, architecture constructs and security controls used in cloud environments could not be more different than they are in the enterprise world. This will only become more pronounced as IaaS providers become PaaS players. Selecting an auditor who has done mainframe audits for the last 20 years will give you plenty of independence, but will also ensure that you are in for the most frustrating experience of your life.
Choose an auditor that has relevant expertise. Much more important than supposed "independence".