The role of auditors is to hold businesses to well defined standards, and those standards just don't exist for cloud environments, says Chris Richter, vice president of security services for Savvis, who led a panel on cloud security. So auditors tend to err on the side of caution.
"They will be more strict because there are no clear policies for it," he says.
The rules will come with time, but they don't exist yet, so businesses need to be careful what data they submit to clouds and be sure data subject to compliance standards such as HIPAA, PCI and Sarbanes-Oxley can be provably handled within those standards.
"Auditors want to see the guts of the cloud," Richter says, and that is something many cloud providers don't allow. Many keep their physical architectures, policies, security, virtual LAN structure and other essential factors secret. "If they can't see how data flows, how VLANs are segmented, see how your data is partitioned from others', they won't OK it."
Complicating the issue is how identity and access management is handled so unauthorized users can't get in to corporate cloud resources, he says. "I'm not aware of anybody who's pulled off a really effective identity and access management in the cloud," Richter says.
That said, he thinks it"s possible to use private clouds for even the most sensitive information. "The most robust private cloud I am aware of, yeah, I would be confident putting my most valuable data there," he says. Part of that is the level of control the business retains over the data, the applications and the infrastructure in a private cloud. "You can put more trust in what you are doing," he says.
Regardless of whether a cloud gains the trust of a business and can earn the approval of an auditor, the responsibility for protecting the data stays with the business; outsourcing the application or the platform or the infrastructure doesn't outsource the responsibility, he says.
And if a cloud provider is generally deemed compliant with some security standard, that doesn't mean an individual business's use of that cloud will pass muster as well. "It's you the end customer who is responsible for compliance, not the service provider," he says.
For businesses that plan to use some form of cloud, Richter set down eight steps to follow to make the transition safely from a private traditional infrastructure:1. Appraise your applications. "Some applications are so woven into the corporate system that cloud really can't apply."2. Classify data. Determine what is sensitive and what's not. "This has ramifications for what type of cloud you choose."3. Determine the cloud type that suits you best, software as a service, platform as a service or infrastructure as a service.4. Choose a delivery model. Private, self-managed cloud, managed or outsourced, public cloud, enterprise public cloud, hybrid cloud.5. Specify platform architecture. This should include specifications for computing, storage, backup, network routing, virtualization vs. dedicated hardware.6. Specify security controls. This should include firewalls, intrusion detection/prevention systems, log management, application protection, data-loss protection, ID and access management, encryption and vulnerability scanning.7. Policy requirements. Check out cloud providers' policies to make sure they fit with your needs. "Believe me, they vary widely from provider to provider."8. Look at the service provider itself. Is it geographically dispersed, can customers auto-provision, does the provider have enough capacity to meet the needs of bursting, can they monitor all customers' traffic so one doesn't unintentionally launch a DoS attack against the cloud, what are the service-level agreements, is the provider financially stable?
Read more about data center in Network World's Data Center section.
This story, "Interop: Cloud security raises concerns for auditors" was originally published by Network World.