Jian Zhen

Subscribe to Jian Zhen: eMailAlertsEmail Alerts
Get Jian Zhen via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: CEOs in Technology, Cloud Computing, Virtualization Magazine, Web 2.0 Magazine, Cloudonomics Journal

Blog Post

Security and Compliance in the Age of Clouds

You can outsource responsibility, but you can’t outsource accountability

At RSA 2009 there were a ton of conversations spun up around the topic of security and compliance in the cloud. First, there were ~20 sessions on cloud security and compliance. I was on one of the panels that focused on cloud security and whether the cloud is secure enough for the enterprises. (Great discussions there and huge thanks to Asheem Chandna of Greylock for organizing it.) Then Cloud Security Alliance released its Guidance for Critical Areas of Focus in Cloud Computing (my initial comments.) 

If you look across all of the regulations and mandates out there, like SOX, PCI, HIPAA, COBIT, ISO, etc etc, they all require essentially two things: transparency and control. Transparency is an absolute must. You need to know who’s accessed what data, when and where, and maybe why based on some documented evidence. That’s why you see big sections in these regulations/mandates requiring audit reports. PCI requirement #10 is a good example of this. (Ok, spare me the discussion on how PCI is useless. It’s not!) Control is also a must but transparency sometimes can be used as a compensating control. For example, a company MUST ensure that no shared IDs are used. Well, sometimes that’s not quite possible. So companies implement monitoring of all access to ensure IDs are not shared. Sometimes auditors will let that pass as a compensating control.

Then if you look at what you need to protect from a high level, at the risk of oversimplification, it generally comes down to data, applications and identity.

Identity information is what attackers are first after in order to penetrate the application and get to the data. This is why Identity and Access Management (IAM) is one of the top 3 security priorities for enterprises (source: Gartner) and they are spending ~11% (~$3B) of their IT security spending on IAM.

Then you have the applications which are being attacked left and right. The web application security market is red hot these days because of the prevalence of SaaS and other type of online applications.

And finally the attackers will get to the data. And there are a ton of different type of data. Data such as personal identifiable information (PII) are extremely valuable to some attackers and can be sold for anywhere between $25 to $100 per. You then have other type of data such as corporate financial information, intellectual properties and others that are invaluable.

What enterprises are looking for, regardless of in the cloud or on premise, are control and transparency on their data, applications and identities. Enterprise customers always need to make sure they are compliant with whatever regulations/mandates they are responsible for. In their own environment, they can do many things (defense-in-depth and other principles) to ensure they are “as compliant as possible.” However, in the cloud, they lose that control. In fact, it’s worse, in most cases, they lose transparency. They have no idea where their data is (in GAE, e.g.), or who’s accessing their info (most clouds), how their data’s protected (most clouds), and what data’s accessed for what reason (most clouds.) GAE is probably the worst offender in this case. During an interview with cloudsecurity.org, their GAE lead essentially said they cannot divulge ANY information around security. AWS is doing a slightly better job now in explaning. Though still, neither AWS nor GAE are providing ANY type of transparency through reports or logs (well, you could kinda get S3 logs.)

So in most cases, it’s not that AWS or GAE are less secure than most enterprise environments. They sometimes are probably more secure. However, the thing that most enterprise IT groups fear are losing control and transparency. They want to extend their audit controls into their cloud environment to ensure they are still compliant. Service providers need to step up to the plate and offer the reports enterprise customers are looking for.

As one of the former customer used to say, “you can outsource responsibility, but you can’t outsource accountability.” At the end of the day, the customer is still accountable for being compliant. If they fail the SOX audit, it’s not the outsourcer’s (or cloud provider’s) CEO that goes to jail. It’s the customer’s CEO.

More Stories By Jian Zhen

Jian Zhen, CISM, CISSP, is the Director of Cloud Solutions at VMware. He is responsible for working with the world’s largest service providers to design cloud infrastructures and platforms, and creating partner ecosystems for the clouds. Previously, he was the VP of Emerging Technologies at LogLogic, the log management and intelligence leader in San Jose, Calif. At LogLogic, he was responsible for the overall vision and strategy of LogLogic’s product lines. Prior to joining LogLogic, he was responsible for developing the Managed Security Services infrastructure for Exodus/Savvis. During his 12+ years career in the information security field, he has performed audits for many Fortune 1000 companies as an IT auditor with Ernst & Young and Charles Schwab. In his spare time, Jian also writes a variety of topics covering cloud computing, IT security, intellectual property protection, and managed services. You can also find him on LinkedIn and Twitter.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
BobP 05/04/09 09:17:00 AM EDT

Totally agree.........FYI, we manaufacture a commercially priced Trustworthy Platform for Preventing Most Network Breaches. 100% backed by Science and 100%y Transparent to any IP or SCADA networks. Clients include the Canadian Govt of Public Safety (DHS), US Navy, US Air Force, a large Metro NY County's Data Centers, etc. Meets OSI-Layer One (patented paradigm), Common Criteria, PCI-DSS, and DARPA 98 Standards. For a while longer we will continue to stay under every one's radar. However, will be pleased to answer any questions. Our only goal is to protect North America's and EU networks only Will partner with all networking OEM's. E-mail:Continuump@gmail.com. .