Cloud Compliance – How to Stay Secure on an Intangible Infrastructure
By Sean Atkinson, Chief Information Security Officer
“If it is not my device, how do I control it?”
Security in the cloud can be a contentious topic. It has been challenging for users to define a set of criteria for cloud computing security and then be able to attest to its compliance. Over the past five years, cloud computing has become a strategic plan of action for many organizations, combining on-premises infrastructure with a virtual cloud network.
The appeal of cloud computing is hard to deny as a value proposition. It provides scalable infrastructure, on-demand responsiveness, and (based on the cloud provider) a multitude of services that augment the IT landscape. A key point to consider is that security is just as important in the cloud as it is on-prem.
Any strong IT security program will require that the following main areas are covered:
- Governance and policy
- Asset management
- Access control
- System development and maintenance
- Incident response
- Business continuity
No matter the cloud provider, you’ll need to confirm that controls are in place addressing the topics above. Each of these topics can be addressed to ensure controls and a measurable level of compliance. With a relatively simple approach to each, you can work with cloud providers and maintain a level of compliant and auditable control over your virtual network.
Compliance in the cloud
Let’s examine each of the security topics in more detail and find a way to ensure security is top-of-mind in cloud computing environments.
Governance and policy: As a standard, leading cloud providers maintain compliance and security controls as part of their infrastructure. In some cases, this means the users employ a risk strategy – that is, the user undertakes a certain amount of risk by transferring the security requirements to the cloud provider(s). Check the cloud services agreement for details and don’t be afraid to ask about security processes and policies.
It’s worth noting that the roles and responsibilities for maintaining security will depend upon the platform, infrastructure, and software-as-a-service model selected by the user. This will influence the level of ownership and security responsibility for both the cloud provider and customer.
Asset management: In order to successfully manage your assets, you’ll want a record of what systems are deployed as well as any security level which may be defined for those systems. Some tips:
- Manage the addition of new instances through a change control process
- Assign ownership of assets
- Monitor any cloud account(s) through the provider’s management console and with your own organization’s accounts payable
Access control: As with any system, role-based security is paramount. Nothing changes with a cloud implementation in this case; you’ll want to audit, review, and control access based on a user’s “need to know” and role-based access controls (RBAC).
System development and maintenance: Start this process by applying secure configuration standards like the CIS BenchmarksTM to any cloud-based environments. CIS Hardened Images are pre-configured virtual machines for a variety of platforms and technologies. Using such pre-configured secure images saves time over manually hardening a virtual machine. CIS Hardened Images allow for the deployment of already compliant systems for a variety business purposes. For those developing software in the cloud, CIS Hardened Images provide convenient security from the start. Once secure configurations are in place, maintenance to prevent “configuration drift” is the next step; regularly compare cloud configurations to the “golden” hardened image as part of your control framework.
Incident response: Communication is key when there is an incident in the cloud. Be sure to understand what role the user and cloud provider play in a security incident, as well as what the cloud provider can supply in terms of data. This response strategy may be utilized for testing the incident response process and ensuring both organizations know how the cloud provider’s supplied data will be utilized. The response strategy should be approved and documented within your organization’s incident response plan.
Business continuity: Consider what will happen if one or more of the systems upon which your organization relies fails. One of the many benefits of using cloud infrastructure is the ability to shift data quickly depending on your needs – should a natural disaster strike a main office, cloud-based services will run unaffected. However, you’ll want to consider your cloud provider’s resiliency and disaster recovery strategy. What are their guarantees and limitations in regards to “up time?” Based on this response, porting data to another cloud provider may be part of your organization’s business continuity strategy.
Don’t go it alone
Working in the cloud allows often provides organizations flexibility and convenience to scale their resources as needed. It also means working with others – such as cloud providers and IT staff – to ensure security measures are being implemented on the virtual network. Be sure to look into helpful resources like the CIS Hardened Images to help your organization stay secure in the cloud, and don’t be afraid to ask questions about your cloud provider’s security processes and procedures. With security in mind, the cloud can be a helpful extension of your organization’s IT infrastructure.