Cloud computing has rapidly matured in the market. Many businesses have adopted private and public cloud strategies and have deployed on to cloud infrastructure and integrated with corporate support systems. As this cloud adoption occurred, security, privacy, and data governance have frequently been overlooked by the users of cloud computing, especially when demand comes from lines of business rather than IT departments who already have strong security and privacy policies. The desire to innovate rapidly and the adaption of agile software development methodologies that are paramount to accomplishing business success have come with a price of less security rigor.
There are 3 areas that must be addressed by cloud computing platforms to minimize security and compliance risk:
Privacy and data sovereignty
The first area and one that is increasing in importance is privacy and data sovereignty (Domains 4, 5, 6, 8, 9, 10). Privacy is the ability of an individual or group to ensure that personal or confidential data about them is kept confidential. Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. The information around a person or groups is meant to remain with private to them.
The laws and requirement for this vary from country to country, but many countries have very specific and constraining laws for data sovereignty that can have substantial impact on logical and physical cloudand storage architectures. It is critical that companies create a data privacy and sovereignty governance framework. This must meet the requirements that consumer data does not leave the country of origin, personnel outside that country (provider) do not have access to any aspect of the data, and all operations (provider) must be performed by in-country residence staff.
The second area is the cloud platform itself that must be secure from an access, operations, and application standpoint (Domains 1, 2, 4, 7). Access via the portal as well as APIs must be secured with API Firewalls, Web Application Firewalls, and Advanced Persistent Threat solutions. Operationally, SSAE16 and CSA CCM are good guidelines, but I prefer PCI which requires basic controls like firewalls, intrusion detection, and separate logical networks for control, management, network, storage, and application security and governance. From the application standpoint, identity management and security policies are critical to ensure that only authenticated users can access the data to which they have access rights.
A few words about compliance in cloud -- compliance is always the responsibility of the owner of the application, process, and data. The cloud provider has the responsibility to provide to their users the security controls and enable companies to comply with the regulatory and industrial best practices, but they are careful to state they do not ensure compliance. This is the interpretation of your auditor and can vary widely. It is critically important to consider compliance through two filters: first, the cloud provider’s internal compliance that they will share with you and allow you to audit; and the controls will enable you to build compliant solutions (ie., firewalls, IDS, and encryption capabilities). This second lens is important when auditors require mitigating controls.
Orchestration and Automation
The third area to address is the orchestration and automation systems that provide all the capabilities necessary to deliver, operate, manage, and maintain a cloud (Domain 3). The most vulnerable aspects of most cloud solutions are the orchestration and automation systems because they are “behind the firewall” and trusted. These systems usually use a single system account with a simple password. This environment must be treated as an untrusted segment with rigorous security controls enabled. It is important to understand the capabilities of these systems and the security models employed. Consider the security of the platform as discussed above and apply the same security rigor to the automation andorchestration systems.
As part of the recently announced Cisco Cloud Services , we understand your need for a cloud platform that protects you against security and compliance risk. That is why Cisco Cloud Services addresses the criticality of privacy and data sovereignty by building out an Intercloud that combines our cloud footprint with key partners to provide in country cloud delivery and data management. We deliver our cloud services through a secure platform, by doing X, Y and Z. And we’ve hardened the orchestration and provisioning systems to protect an area of cloud that is typically vulnerable. In addition, we have experts who can help you think through you’re a security strategy that includes data privacy and sovereignty governance as you move your business applications to the cloud. This journey is just the beginning but we are here to secure your applications in the cloud AND ensure data sovereignty.
For more information, check our website on Cloud Strategy, Management and Operations.
You may want also read the blog Securing Cloud Transformation through Domaine Ten Framework V2.0
I am also on Twitter @kenowens12