If you're in charge of compliance, you're no doubt as busy as ever these days. Throw some complexity posed by cloud computing into the mix, and you have a formula for not being able to keep up. Ensuring cloud compliance, however, isn't fundamentally new. You just have to be smart about security, just as if it were your own network and applications.
The real "gotchas" in the cloud involve certain misconceptions, assumptions and oversights that can very quickly get you into a cloud compliance bind. Following are the potential areas for vulnerabilities that stand out to me.
A contract won't keep your information secure.
Just because you're pulling a third party into your risk equation doesn't mean you're not going to be held liable. You may be able to spread some of the liability around, but it's ultimately your responsibility to ensure that your business is in line with the laws and regulations. Make sure you address cloud computing compliance in those contracts.
Take, for instance, the HITECH Act, which requires business associates providing services in the health care industry to comply with the same HIPAA rules to which covered entities are held. The same goes for PCI DSS for payment transactions. After my expert witness work in this area, I can assure you that if either of these regulations affects the businesses you work with and an incident occurs, you're going to be a party to the process, regardless of the root cause.
Talk is cheap. Do your due diligence.
Throughout my career, I've seen how vendor hype often leads to end-user letdown and increased information risks. If you're jumping onto the cloud computing bandwagon, don't assume that these cloud vendors are going to provide everything you need to be secure and compliant. Even when the cloud vendors claim that their applications and systems are going to make you compliant, don't buy it.
Compliance doesn't come in a box. This is especially true when it comes to problems that arise. There's already a disconnect with "physical" IT services providers. The disconnect can -- and often does -- widen if the cloud is brought into the equation where you're merely an electronic entity to providers.
As I experienced last year, cloud computing customer service can leave something to be desired. I found out the hard way that just because my business email goes down that doesn't mean it's an emergency on the provider's part. I was without email for a couple of days and lost an entire day's worth of email in the process. I'm a two-person shop. Imagine if this happened to a larger business! Shame on me for not having a better continuity plan. Shame on my cloud provider for ignoring my requests for help.
High-level security checks don't tell the whole story.
Don't be afraid to ask vendors for an independent verification that a cloud computing environment is secure.
That's not what I find in the real world. Cloud compliance doesn't come that easily.
It's usually quite simple to find compliance gaps and flaws in systems that are assumed to be secure. Lack of system monitoring, poor patching procedures, physical security weaknesses, SQL injection, unsecured wireless networks -- you name it. You have to dig in deeper if you're going to find the security issues that matter in the context of your business.
Don't be afraid to ask vendors for an independent verification that a cloud computing environment is secure. This is something they should assess at least once a year. If cloud providers ignore your requests or don't provide sufficient evidence that they're doing enough, see if you can get permission to do the tests on your own. Using good tools and ethical hacking techniques, you'll find vulnerabilities that are placing your sensitive information at risk.
Once you find the flaws, you may be hard-pressed to get your vendors to fix them. If so, you may be able to come up with other mitigating controls of your own. If not, use the power of the free market and find another provider.
The cloud is no different from your LAN
Solid information security practices are the same regardless of the medium, whether it's your LAN, your wide area network or the cloud. Adopt a reasonable set of security practices for a given environment, such as the ISO 27002:2005 framework and COBIT. Apply them across the board.
Never forget that the cloud is not unique when it comes to security policies, incident response, disaster recovery and so on. The same controls still apply: authentication, access, patching, logging, monitoring and encryption. Use whatever is needed to not only meet the minimum compliance requirements but to also truly ensure that information is kept secure.
There you have it: The unexpected vulnerabilities in the cloud that many ignore and of which others remain ignorant. Put these on your radar and remain vigilant. It's your compliance initiative, it's your business -- and it's your job. Take the reins and never let up.
This was first published in March 2010