As more organizations leverage the cloud for critical business applications, they are discovering one of the greatest challenges is combining existing internal controls with cloud protection efforts. Highly regulated business and government organizations in particular must maintain comprehensive security and compliance postures across these hybrid systems. Network World explores the issue in-depth with:
- Shawn Kingsberry, CIO of the Recovery Accountability and Transparency Board
- Craig Sutherland, principle architect and engineer, lead associate, Booz Allen Hamilton
- Mike Rothman, president, Securosis
- Ken Ammon, chief strategy officer, Xceedium
NW: Let's start with a basic question. When companies are building hybrid clouds, who is responsible for what when it comes to security? What are the pain points as companies strive to address this?
AMMON: I think what you end up with is a shared-security model. The cloud service providers are offering many security capabilities that don't cost anything, that come with the service, and it's in your best interest to take advantage of those capabilities. But you define your compliance requirements and if you can't get the necessary coverage you add your own overlay security architecture.
The challenge, of course, is you have to figure out how to instrument that capability and how to manage it. And of course it makes sense to do this on an enterprisewide basis, so that means developing an architecture that will span X + N cloud providers that will meet your policy and incident response requirements, give you access to the audit data you need, and simplify your implementation of policy across what may be an embedded security service within the cloud providers themselves.
ROTHMAN: A lot of folks think having stuff in the cloud is the same as having it on-premises except you don't see the data center. They think, "I've got remote data centers and that's fine. I'm able to manage my stuff and get the data I need." But at some point these folks are in for a rude awakening in terms of what the true impact of not having control over layer four and down is going to mean in terms of lack of visibility.
So I think people just figure -- "Hey, it's cheaper, but it's more of the same." And they don't take the steps to build a program office and really work through the little details of jurisdiction and incident response and the compliance impact, of not having control over what could be pretty sensitive and critical data.
SUTHERLAND: When deciding who is responsible for controls, the decisions need to take into account the service delivery and deployment model. The Cloud Security Alliance provides some great guidance in this area, and the cloud computing security working group is expanding all these models, and ultimately these responsibilities need to be contractually assigned during the procurement process. But the service-level agreements alone are not enough if the cloud provider is left with the option of modifying the agreements without warning, as happens on occasion.
Sign up for CIO Asia eNewsletters.