Featured Article: On the Way to the Cloud

By Rick Dakin, CEO, Coalfire

Last week Computerworld published an article featuring Gartner’s predictions for 2012. Several of these predictions relate to trends we see every day as we work with our clients, including the migration to cloud-based services. Every industry analyst has already written an article explaining the merits of migrating software and services to a shared hosting environment, commonly called "the cloud." We also believe the migration to cloud-based applications and data serving is inevitable. However, the migration is not without risk.
While the cost of systems, shared software and infrastructure promises to cut operating costs in half, the cost of compromise could easily exceed these savings. In recognition of these risks, Coalfire recommends that organizations slow down from a dash to a fast walk and consider the following:

  1. Regulatory Compliance – Some applications and services are governed by specific regulatory requirements that either prohibit the use of shared hosting environments or require additional compliance validation prior to deploying sensitive data in "the cloud." In addition to the use of shared hosting providers, many outsourced services companies are providing remote management and security operations from systems hosted in the cloud. These remote services may appear to provide the service necessary to meet regulatory compliance but often fail to secure remote access, establish adequate logging or even provide background screening for administrators who manage the platforms. Out of sight does not mean out of mind for a trained auditor. These third- party regulatory failures are often the cause for significant costs to our clients when rapid remediation is required to bring outsourced service providers into compliance with regulatory requirements. You should ask each service provider to demonstrate that they have completed validation for compliance prior to acquiring the service. The two best practices that are published by NIST, for organizations looking to move their data to the cloud, are to ensure that the provider has conducted an independent audit and that the proper vendor due diligence is understood. The only real guidance within the PCI virtualization supplement, when considering cloud providers, is to make sure the scope is understood.
  2. Data Location and Ownership – As we launch a new wave of cloud-based audits, we are routinely discovering data migration to the cloud that was never intended by the data owner. In haste to reduce costs, either sensitive data or direct access to sensitive data was deployed in the shared hosting area in direct violation to company policy or regulatory requirements. However, this oversight is further compounded when sensitive data is collected, processed or stored in that same shared hosting environment. The data owner usually does not know the hosting location and may not even own the data created by the data owner. The cloud services companies are routinely accessing sensitive data transiting the cloud and republishing it for third-party benefit. Make sure your cloud hosting contract clearly identifies data ownership and protection requirements prior to contracting with a cloud service provider.
  3. Readiness of Hosting Providers to Secure Data – The cloud service providers are quick to point out the benefits of their services but are slower to acknowledge the risks. Only a few mature hosting companies have designed security into their services and have conducted audits to regulatory standards prior to accepting clients. It is easy to learn which ones have completed the testing. Simply ask them for a copy of their security assessment consistent with the regulatory or risk management objectives for your firm. The more mature hosting companies will either provide copies of their assessment or an attestation form from their auditor.
  4. Incident Response Planning – The fluid nature of cloud services complicates incident response. In many cases, the service provider may not be willing to support an investigation or provide access to their environment for investigation. You may find yourself in a significant data breach situation and have no ability to investigate or mitigate the damage. Ensure your contracts require third-parties to support incident response investigation and provide access to systems and data upon your request.
  5. Security Control Responsibility and Scope – Not all clouds are equal. Whether you are purchasing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) you need to understand what services are provided. A cloud provider may accurately market their compliance with the PCI Data Security Standards but the scope of their assessment may have been limited to only a few control sections. Customers must ensure that all controls are accounted for and in place with their respective regulation.

The severity of risk associated with any of the above controls may appear that we are not recommending a migration to the cloud. We want to see our clients benefit from the cloud imperatives for lower costs, faster service delivery and more efficient integration of services. However, we recommend that each organization conduct