Home > Cloud Computing, Cloud Security, Cloud Security Alliance, Compliance > Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)

Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)

In the Information Security community, many of us have long come to the conclusion that we are caught in what I call my “Security Hamster Sine Wave Of Pain.”  Those of us who have been doing this awhile recognize that InfoSec is a zero-sum game; it’s about staving off the inevitable and trying to ensure we can deal with the residual impact in the face of being “survivable” versus being “secure.”

While we can (and do) make incremental progress in certain areas, the collision of disruptive innovation, massive consumerization of technology along with the slow churn of security vendor roadmaps, dissolving budgets, natural marketspace commoditzation and the unfortunate velocity of attacker innovation yields the constant realization that we’re not motivated or incentivized to do the right thing or manage risk.

Instead, we’re poked in the side and haunted by the four letter word of our industry: compliance.

Compliance is often dismissed as irrelevant in the consumer space and associated instead with government or large enterprise, but as privacy continues to erode and breaches make the news, the fact that we’re putting more and more of our information — of all sorts — in the hands of others to manage is again beginning to stoke an upsurge in efforts to somehow measure and manage visibility against a standardized baseline of general, common sense and minimal efforts to guard against badness.

Ultimately, it doesn’t matter how “secure” Cloud providers suggest they are.  It doesn’t matter what breakthroughs in technology sprout up in the face of this new model of compute. The only measure that counts in the long run is how compliant you are.  That’s what will determine the success of Cloud.  Don’t believe me? Look at how the leading vendors in Cloud are responding today to their biggest (potential) customers — taking the “one size fits all” model of mass-market Cloud and beginning to chop it up and create one-off’s in order to satisfy…compliance.

Why?  Because it’s easier to deal with the vagaries of trust and isolation and multi-tenant environments by eliminating the latter to increase the former. If an auditor/examiner doesn’t understand or cannot measure your compliance to those things he/she is tasked to evaluate you against, you’re sunk.

The only thing that will budge the needle on this issue is how agile those who craft the regulatory guidelines are or how you can clearly demonstrate why your compensating controls mitigate the risk of the provider of service if they cannot. Given the nature and behavior of those involved in this space and where we are with putting our eggs in a vaporous basket, I wouldn’t hold my breath.  Movement in this area is glacial at best and in many cases out of touch with the realities of just how disruptive Cloud Computing is.  All it will take is one monumental cock-up due to a true Cloudtastrophe and the Cloud will hit the fan.

As I have oft suggested, the core issue we need to tackle in Cloud is trust, since the graceful surrender of such is at the heart of what Cloud requires.  Trust is comprised of Security, Control, Service Levels and Compliance.  It’s relatively easy to establish where we are today with the first three, but the last one is MIA.  We’re just *now* seeing movement in the form of SIGs to deal with virtualization.  Cloud?

When the best you have is a SAS-70, it’s time to weep.  Conversely, wishing for more regulation will simply extend the cycle.

What can you do?  Simple. Help educate your auditors and examiners. Read the Cloud Security Alliance’s guidelines. Participate in making the Automated Audit, Assertion, Assessment, and Assurance API (A6) a success so we can at least gain back some visibility and transparency which helps demonstrate compliance, since that’s how we’re measured.  Ultimately, if you’re able, focus on risk assessment in helping to advise your constituent business customers on how to migrate to Cloud Computing safely.

There are TONS of things one can do in order to make up for the shortcomings of Cloud security today.  The problem is, most of them erode the benefits of Cloud: agility, flexibility, cost savings, and dynamism.  We need to make the business aware of these tradeoffs as well as our auditors because we’re stuck.  We need the regulators and examiners to keep pace with technology — as painful as that might be in the short term — to guarantee our success in the long term.

Manage compliance, don’t let it manage you because a Cloud is a terrible thing to waste.

/Hoff

Reblog this post [with Zemanta]
  1. @OBazaS
    January 25th, 2010 at 06:04 | #1

    A great article and a theme I believe will stew as Cloud grows. Established models and regulations are not as agile as the participants or technologies are now becoming. Will we enter and era of impotent regulation shielding higher risk taking (as we've seen in financial markets)? …and will compliance ever be a four letter word.

    @OBazaS

  2. @daintree
    January 25th, 2010 at 07:25 | #2

    Without a doubt, we lack a common nomenclature for making (and refuting) assertions of security, privacy, reliability (attributes that lead to trust). "[A]uditor/examiner doesn’t understand or cannot measure" – absolutely.

    I'm not sure all IT buyers hear "compliance" like you mean it here, though – I've heard "is your product compliant?" from enough senior IT people to to worry that the problem is two-fold. 'Compliance' can viewed as, firstly, only a minimum regularity requirement and, second, a static state (tick the compliance box) rather than a lifelong struggle.

    All just words, but positioning is everything…

  3. January 25th, 2010 at 09:24 | #3

    It occurs to me that in reading Rich Miller's post where he references this one that I need to clarify something. I posted this on his comment section (http://www.datacenterknowledge.com/archives/2010/01/25/the-cloud-computing-compliance-conundrum/ ):

    Rich:

    Thanks for the ping. I really should have emphasized more the unfortunate value decay of "security" into compliance and reiterate the notion that security does not equal compliance (or vice versa.)

    I don't want people to come away with the message that I think that compliance is more important than "security" or managing risk, because that's definitely NOT the case. Rather, it's a delicate and rather unfortunate position that we're in when compliance trumps other more reasonable approaches to ensuring viable business operations.

    /Hoff

  4. January 25th, 2010 at 14:24 | #4

    If compliance is all we have then today, we have nothing. Waiting for mature, comprehensive regulations is a no win scenario. Most realize that compliance is a poor excuse for security, hence all the private cloud activity. CSPs must develop security and privacy standards that are BETTER than what most businesses can do for themselves backed by some auditing and assurance mechanisms. Otherwise, CSPs will filter into the background of the Internet like hosting providers (a nice enough service for sure) leaving cloud to never reach its full potential.

  5. Ron Knode
    January 26th, 2010 at 12:00 | #5

    Well said. A forceful (and entertaining) echo in the cloud of earlier discoveries and comments about the ultimate importance of "trust" versus other words often intended to characterize related aspects (e.g., security, privacy), but which do not represent the real need, and so should never be confused as synonyms. This commentary could be used almost "as is" for other (earlier) IT delivery schemes. Think of it! We needed "trust" in the web (not just "security"), "trust" in software development (not just "security"), "trust" in SOA (not just "security"), and on and on and on. The distinction comes down to the ability to create new enterprise value ("trust" can do that), versus merely the incremental improvement in the protection of enterprise value we've already got (that's what "security" does). Compliance, on the other hand, is the (reliable) satisfaction of a set of security/integrity/availability conditions that have been declared to be "acceptable" by an authority with some governance responsibility. While this is no place to delve into the psychological and sociological constituents of trust, it is clear that there is a (strictly) technological contributor to trust (often called "digital trust") and that's what we're talking about here.

    In my research, the key ingredient to digital trust generation is visibility into the system as designed and at work. The greater the "transparency" of operation, the more "digital trust" is generated, and the more opportunity for enterprise value creation is presented. It's amazing how this works. And, at the same time, such transparency also contributes to control mechanism validation, making compliance more achievable as well.

    So, heed the words of "trust" in the cloud. For greater explanation of the linkage between transparency and digital trust generation, see http://www.csc.com/security/insights/32270-digita… or related articles at http://www.csc.com/lefreports. This is not the "zhu zhu pet of the day" for the cloud. The power of trust (including digital trust) is enduring as long as transparency is reclaimed and reported reliably.

    One of the aims of the A6 group is to explore techniques for cloud security claims and assurances, and making them standard (or at least interoperable). Seems like more than a worthy objective to me.

  6. Laurent
    January 26th, 2010 at 22:05 | #6

    Well, at the end, isn't "trust" the main point for information security, for which we are developing tons of regulations and controls… About trust in computing, Ken Thompson's Reflections on Trusting Trust (http://portal.acm.org/citation.cfm?id=358210) is very interesting too!

  7. January 28th, 2010 at 07:39 | #7

    As always, great post.

    Since we know how insufficient compliance has been…

    …since we see how Compliance != Security

    …to state the obvious… isn't it a bit deflating that we need to stretch to even get that low/low baseline in clouds?

    If "aiming high" is to one day be able to assure compliance… how can we hope to insert meaningful security into 3rd party clouds?

    [yes - I'm trying to start a discussion]

  8. EvieSids
    May 18th, 2010 at 07:17 | #8

    Hi Chris,

    This is a great post. We liked it so much, we made a video about it- let us know what you think: http://vimeo.com/11685089

  1. January 25th, 2010 at 17:05 | #1
  2. January 29th, 2010 at 13:55 | #2
  3. February 1st, 2010 at 06:25 | #3
  4. February 12th, 2010 at 15:58 | #4
  5. February 13th, 2010 at 12:20 | #5
  6. February 16th, 2010 at 16:32 | #6
  7. March 3rd, 2010 at 12:58 | #7
  8. March 26th, 2010 at 15:48 | #8
  9. May 31st, 2010 at 21:25 | #9