Cloud computing has rapidly matured in the market. Many businesses have adopted private and public cloud strategies and have deployed on to cloud infrastructure users of cloud computing, especially when demand comes from lines of business rather than IT departments who already have strong security and privacy policies. The desire to innovate rapidly and the adaption of cloud native software development methodologies that are paramount to accomplishing business success have come with a price of less security rigor. This is a tradeoff that is not necessary.
Cisco Domain TenSM is our reference framework that provides a structured, vendor-agnostic approach to strategize and execute IT transformation to align to organizational needs and drive outcomes. Coupled with an end- to-end view of key elements such as security for your data center, cloud and beyond, Domain Ten offers a prescribed methodology for mapping and understanding your information technology capabilities—and most importantly, what needs to be addressed based on industry best practices.
There are 3 areas that must be addressed by cloud computing platforms to minimize security and compliance risk.
Privacy and Data Sovereignty
Privacy and the ability of an individual or group to ensure that personal or confidential data about them is kept confidential (Domains 4, 5, 6, 8, 9, 10) is the top a. Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. The information around a person or groups is meant to remain with private to them.
The laws and requirement for this vary from country to country, but many countries have very specific and constraining laws for data sovereignty that can have substantial impact on logical and physical cloud and storage architectures. It is critical that companies create a data privacy and sovereignty governance framework. This must meet the requirements that consumer data does not leave the country of origin, personnel outside that country (provider) do not have access to any aspect of the data, and all operations (provider) must be performed by in-country residence staff.
Cloud Platform Security
The cloud platform itself must be secure from an access, operations, and application standpoint (Domains 1, 2, 4, 7). Access via the portal as well as APIs must be secured with API Firewalls, Web Application Firewalls, and Advanced Persistent Threat solutions. Operationally, SSAE16 and CSA CCM are good guidelines, but I prefer PCI which requires basic controls like firewalls, intrusion detection, and separate logical networks for control, management, network, storage, and application security and governance. From the application standpoint, identity management and security policies are critical to ensure that only authenticated users can access the data to which they have access rights.
A few words about compliance in cloud – compliance is always the responsibility of the owner of the application, process, and data. The cloud provider has the responsibility to provide to their users the security controls and enable companies to comply with the regulatory and industrial best practices, but they are careful to state they do not ensure compliance. This is the interpretation of your auditor and can vary widely. It is critically important to consider compliance through two filters: first, the cloud provider’s internal compliance that they will share with you and allow you to audit; and the controls will enable you to build compliant solutions (ie., firewalls, IDS, and encryption capabilities). This second lens is important when auditors require mitigating controls.
Cloud Orchestration and Automation
Cloud orchestration and automation systems provide all the capabilities necessary to deliver, operate, manage, and maintain a cloud (Domain 3). The most vulnerable aspects of most cloud solutions are the orchestration and automation systems because they are “behind the firewall” and trusted. These systems usually use a single system account with a simple password. This environment must be treated as an untrusted segment with rigorous security controls enabled. It is important to understand the capabilities of these systems and the security models employed. Consider the security of the platform as discussed above and apply the same security rigor to the automation and orchestration systems.
Please stop by @CiscoDevNet @CiscoLive and see our @CiscoCloud Security panel: Securing PaaS and SaaS: What are Cisco and our Partners Doing to Secure Your Hybrid Cloud? – Session DEVNET-1045 on Wednesday July 13th @ 11:00 – 11:45