Avatar

Cloud computing has rapidly matured in the market.  Many businesses have adopted private and public cloud strategies and have deployed on to cloud infrastructure and integrated with corporate support      systems.  As this cloud adoption occurred, security, privacy, and data governance have frequently been overlooked by the users of cloud computing, especially when demand comes from lines of business  rather than IT departments who already have strong security and privacy policies.  The desire to innovate rapidly and the adaption of agile software development methodologies that are paramount to accomplishing business success have come with a price of less security rigor.

CiscoDomainTen

There are 3 areas that must be addressed by cloud computing platforms to minimize security and     compliance risk:

Privacy and data sovereignty

The first area and one that is increasing in importance is privacy and data sovereignty (Domains 4, 5, 6, 8, 9, 10).  Privacy is the ability of an individual or group to ensure that personal or confidential data about them is kept confidential.  Data sovereignty is the concept that information which has been converted  and stored in binary digital form is subject to the laws of the country in which it is located.  The  information around a person or groups is meant to remain with private to them.

The laws and requirement for this vary from country to country, but many countries have very specific   and constraining laws for data sovereignty that can have substantial impact on logical and physical cloudand storage architectures.  It is critical that companies create a data privacy and sovereignty governance framework.  This must meet the requirements that consumer data does not leave the country of origin, personnel outside that country (provider) do not have access to any aspect of the data, and all operations (provider) must be performed by in-country residence staff.

Cloud Platform

The second area is the cloud platform itself that must be secure from an access, operations, and         application standpoint (Domains 1, 2, 4, 7).  Access via the portal as well as APIs must be secured with   API Firewalls, Web Application Firewalls, and Advanced Persistent Threat solutions.  Operationally, SSAE16 and CSA CCM are good guidelines, but I prefer PCI which requires basic controls like firewalls,  intrusion detection, and separate logical networks for control, management, network, storage, and  application security and governance. From the application standpoint, identity management and security policies are critical to ensure that only authenticated users can access the data to which they  have access rights.

A few words about compliance in cloud – compliance is always the responsibility of the owner of the application, process, and data.  The cloud provider has the responsibility to provide to their users the      security controls and enable companies to comply with the regulatory and industrial best practices, but  they are careful to state they do not ensure compliance.  This is the interpretation of your auditor and    can vary widely.  It is critically important to consider compliance through two filters: first, the cloud provider’s internal compliance that they will share with you and allow you to audit; and the controls will enable you to build compliant solutions (ie., firewalls,  IDS, and encryption capabilities). This second lens is important when auditors require mitigating controls.

Orchestration and Automation

The third area to address is the orchestration and automation systems that provide all the capabilities   necessary to deliver, operate, manage, and maintain a cloud (Domain 3). The most vulnerable aspects of most cloud  solutions are the orchestration and automation systems because they are “behind the firewall” and  trusted.  These systems usually use a single system account with a simple password.  This environment must be treated as an untrusted segment with rigorous security controls enabled.  It is important to understand the capabilities of these systems and the security models employed.  Consider the security  of the platform as discussed above and apply the same security rigor to the automation andorchestration systems.

As part of the recently announced Cisco Cloud Services , we understand your need for a cloud platform  that protects you against security and compliance risk.  That is why Cisco Cloud Services addresses the  criticality of privacy and data sovereignty by building out an Intercloud that combines our cloud footprint with key partners to provide in country cloud delivery and data management.  We deliver our  cloud services through a secure platform, by doing X, Y and Z.  And we’ve hardened the orchestration    and provisioning systems to protect an area of cloud that is typically vulnerable.  In addition, we have  experts who can help you think through you’re a security strategy that includes data privacy and  sovereignty governance as you move your business applications to the cloud.  This journey is just  the beginning but we are here to secure your applications in the cloud AND ensure data sovereignty.

For more information, check our website on Cloud Strategy, Management and Operations.
You may want also read the blog Securing Cloud Transformation through Domaine Ten Framework V2.0
I am  also on Twitter @kenowens12



Authors

Kenneth Owens

Chief Technical Officer, Cloud Infrastructure Services