Security and Compliance in the Cloud

I recently returned from ISACA’s Information Security and Risk Management Conference in Las Vegas and of the 36 sessions offered on security and compliance, seven were on the topic security and compliance for cloud services.  There were several key take-aways that I found interesting:

• Cloud computing is analogous to the 1800s when every factory had to generate it’s own electrical power for manufacturing.  Once electricity generation was moved to a utility (in the cloud), economies of scale drove generation costs out of the business and gave the business on-demand elasticity for electricity.
• Gartner is predicting that (due to the spread of cloud computing) 25% of companies will no longer have IT departments in 2012.
• Cloud security will be baked into the SDLC for cloud service offerings
• Decisions regarding the use of cloud based services are not being made by IT departments but by individual business line department heads that have budget authority.  A cloud service can be piloted in many cases by simply providing a credit card number.  The due diligence security phase of procurement is circumvented.
• With 2/3rds of existing IT budgets used to maintain existing infrastructure, businesses see the ‘cloud’ as a way to recapture 10s to 100s of millions of dollars for R&D.

Some concerns for security and compliance minded folks are:

• Not being able to track where data is located – data in the cloud knows no geographic boundaries.  This can cause problems knowing what country’s regulatory requirements may applied to your data.
• Lack of legal precedents around what data held by the service provider can be viewed by a government agency without your knowledge or notification.
• Data access in the cloud needs to be tracked just as if it were in premises and controls enforced in the cloud with regard to who can access what company data in the cloud.  Similarly, reporting and monitoring of logical and physical access to data by the cloud services provider personnel is spotty at best.
• SAS 70’s provided by service providers are better than nothing — but not by much.  A SAS 70 is an attestation by the service provider that they recognize certain risks and what controls they have in place to mitigate those risks.  The risks and controls are reviewed by an audit firm who agrees with their assessment that the controls cover the risks and sign’s off.  Only with the SAS 70 Type 2 are the provider’s controls tested.

Just like when buying products over the web first started, establishing trust is the key to wide spread adoption. My conclusion is that ‘Transparency’ on behalf of cloud based service providers is really what’s needed to accelerate adoption of cloud based services (SaaS).  Splunk is ideally suited to help with transparency issues.  Data tracking can be baked into service offerings using Splunk and a company’s data tagged with identifying information about company, location, business unit, whether the data contains private information, and name of the individual who created the data — a catalog of data ownership.  On the receiving end, the service provider provides real-time views into where the company’s data is stored at any given time down to what disk in the data center, who accessed the data on their side (physical and logical access), and follows the life-cycle of the data from acceptance by the service provider to destruction.

The nexus of this ownership and access data allows reporting on where my data is, who’s accessed the data, whether specific private data is in a geo-location it shouldn’t be, knowing about potential data loss, and what compliance it may be subject to.

In short…

• Trust – Trust is a key to adoption of SaaS, and transparency is the key to trust.
• Know where your data is in the provider’s environment
• Know how and by who your data is accessed – not only by corporate users but also cloud provider staff
• Know your cloud provider’s performance – data loss, data integrity, receipt of data, report building (render times)
• Know how (or which parts) of the SaaS offering your company uses most and which are less important.

Cloud computing SaaS is here to stay and — hopefully — transparency will become a differentiator for service providers.