Cloud Visibility: Security Audit Demands for Your Cloud Vendor
The question isn't whether the cloud is secure, but whether your provider can show you what's behind the curtain.
Security is the deal breaker for many organizations reluctant to move their enterprise applications and critical data into the cloud. A survey commissioned by Microsoft late last year of IT and business decision-makers found that 75 percent see security as a key risk associated with cloud computing. Some experts will argue, however, that many cloud services are more secure than the in-house enterprise systems where many apps now reside.
Even in scenarios where that is the case, running enterprise data in the cloud means there are certain controls that are not only out of IT's hands, but also aren't visible to administrators or other stakeholders. As such, storing data in the cloud poses certain risk and compliance questions that aren't easy to resolve.
Consider this: Do you know the credentials of those running the systems in cloud services or the ratio of technicians per server? Is it one for every 500 or 1,000 servers? Where is your data being hosted, and on how many different instances? When data is deleted, is it completely eliminated from all servers? How, when and where is it being backed up? What precautions are in place to ensure data on one virtual machine doesn't spill over onto another hypervisor? Your data may be encrypted, but how do you know someone working for your cloud provider hasn't figured a way to decrypt your data?
These are a few of the numerous questions that many cloud providers aren't necessarily answering completely -- or at the very least aren't consistently doing so, some experts warn.
"Not being able to have that visibility and that comfort level that your cloud provider is doing the things that are important to you from a security perspective is slowing down cloud adoption in the enterprise," argues Scott Sanchez, a Certified Information Systems Security Professional (CISSP) and director of the security portfolio at Unisys Corp.
"It's one thing for the provider to say, 'Trust us,'" Sanchez adds. "We let the client pull back the curtain; we let them see audit results; we let them talk to our security folks. Unless you're perhaps one of the top five or 10 clients Amazon has in their cloud, they're not going to give you any of that information. All you get is a little Web page that says, 'We take all the security precautions,' and, frankly, I know they do, as does Rackspace and all the other main cloud providers. But they don't want to tell the public about it; their clients are kind of left to guess."
The Creation of CloudAudit
It's an issue that for years has concerned Christopher Hoff, director of Cloud and Virtualization Solutions for Data Center Solutions at Cisco Systems Inc. That's why Hoff spearheaded an effort called CloudAudit that seeks to develop standards for how cloud providers release information to prospective and existing enterprise clients that can satisfy their compliance and internal governance requirements.
Major cloud providers -- including Amazon.com Inc., Google Inc., Microsoft, Unisys, Rackspace U.S. Inc. and others -- are among those participating in the group, Hoff says, but that doesn't necessarily mean that they're broadly committed to supporting the specs that are released at this point in time. Nevertheless, observers in CloudAudit, which is working closely with the Cloud Security Alliance (CSA), can potentially standardize the way information is shared by cloud providers.
"Cloud computing providers, especially the leading ones, are being overrun by requests for audit information because the level of abstraction that they provide -- by virtue of their service definition -- means in many cases the transparency and visibility decreases."
Christopher Hoff, Director, Cloud and Virtualization Solutions for Data Center Solutions, Cisco Systems Inc., and Founder, CloudAudit
"Cloud computing providers, especially the leading ones, are being overrun by requests for audit information because the level of abstraction that they provide -- by virtue of their service definition -- means in many cases the transparency and visibility decreases. [This] causes an even more-important need for these questions to be answered," Hoff says.
"As they're getting overrun, it sure would be great to have a standard way of answering those questions once, and answering them dynamically, inasmuch as supplying information that relates to these compliance frameworks and questions, and making those answers available in a secure way to duly authorized consumers of that information," Hoff adds. "That could be people looking to evaluate your service, the consumer, auditors, security teams; it could be regulators, or it could be your own operational staff, for that matter."
CloudAudit uses the recently released CSA Cloud Controls Matrix, a framework that consists of 98 controls that specify how cloud providers should release detailed guidelines on how services are audited and risk is determined.
"This framework should look fairly familiar to people who've been involved in risk management, governance and compliance," says Jim Reavis, founder and executive director of the CSA.
The CloudAudit group is building a common API and name space, or directory, called the Automated Audit, Assertion, Assessment and Assurance API (A6) that lets cloud services providers disseminate audit-related data about their infrastructure, platform and application environments that customers can consume, according to Michael Versace, a CISSP and partner with the Wikibon Project.
"For example, if you want to subscribe to the Microsoft Windows Azure service or you want to become an Amazon EC2 customer, you'll want to see a SAS 70 [Statement on Auditing Standards No. 70] report from that vendor," Versace says. The type of cloud service you're subscribing to -- infrastructure, platform or application -- will affect the type of report you require.
"Compliance is the No. 1 driver in information security, and audits are the means to be able to achieve compliance," Reavis says. "It's a bigger issue than specific concerns about the cloud being risky, because we know that no type of IT system, no type of computer is impervious to being hacked."
Aiming for Transparency
Specifically, the CSA Cloud Controls Matrix consists of a cross-reference of some of the industry standards that are out there with regulations such as Control Objectives for Information and related Technology, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry spec for how credit-card payments are accepted in the cloud, and some of the key International Organization for Standardization auditing standards. It also consists of more granular controls, such as how firewalls are configured and how data is encrypted and backed up.
"We've translated that in terms of how we'd get the data," explains Doug Barbin, a director for SAS 70 Solutions Inc., a firm that conducts compliance audits for cloud providers.
The most common way that providers are sharing data with their customers is through audit reports, according to Barbin. Typically what happens is, if you've got a particular question from an existing or potential cloud provider, you have to read a document to find the answer to that question, assuming the provider has disclosed that information.
"The idea with CloudAudit was not to come up with a new set of standards, but to come up with another way that these companies can share this data so that the people who need it can get to it faster," Barbin says. "That could be prospects; that could be customers; that could be auditors. It could have a variety of use cases, but it's meant to alleviate the burden of having to sift through documentation to determine whether a services provider is providing a particular control."
Providing more transparency is critical to many organizations that are considering deploying data in the cloud, Versace says. "If their data is going to be living in the cloud or their applications are going to be living in the cloud, they want that environment to be as transparent as it can be," he says. "They need to understand who's using the data, how it's used, how service levels are being met."
Though the CloudAudit effort has been ongoing for a year, it has picked up steam since March, when the group started having weekly meetings. Still, it's in a formative stage, and in the coming months CloudAudit will start to raise its profile, adding more formality to the process. The version 1 spec is set to be released by July, Hoff says.
"CloudAudit is really not a legal entity in any way -- it's a standards development organization," Versace says. "It's a set of experts that have gathered around this idea that one of the missing links in the journey to the cloud is the ability to collect consistent data from an operations and an audit perspective from your cloud services provider, so you can make some basic risk-management decisions."
That said, CloudAudit is submitting version 1 of its spec to the Internet Engineering Task Force as a request for comment, and the group is now exploring how to formalize its efforts and expand upon its spec.
"The idea with CloudAudit was not to come up with a new set of standards, but to come up with another way that these companies can share this data so that the people who need it can get to it faster."
Doug Barbin, Director, SAS 70 Solutions Inc.
Meanwhile, CloudAudit is monitoring other industry activity as well. Versace points to the Common Event Expression (CEE) consortium, led by The Mitre Corp., which is looking to standardize how computer events are described, logged and exchanged.
"By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks," claims a posting on the Mitre Web site describing the effort. "Tasks including log correlation and aggregation, enterprise-wide log management, auditing and incident handling, which once required expensive, specialized analysts or equipment, can now be performed more efficiently and produce better results."
In addition to Mitre, among those participating in CEE are Microsoft, Novell and The Open Group, as well as tool vendors ArcSight Inc., Loggly Inc. and Tenable Network Security Inc.
"If the CEE effort is successful, potential benefits to Microsoft customers and partners would be enhanced capabilities of Microsoft products, such as products in the Forefront and System Center product lines, and easier integration between Microsoft products and third-party products, which consume event data," says Eric Fitzgerald, a senior program manager at Microsoft representing the company on the effort.
In tandem with the CEE are The Open Group's X/Open Distributed Audit Standard (XDAS) extensions. The XDAS effort aims to leverage the work of the Distributed Management Task Force (DMTF) Common Information Model (CIM), "which is already defined, for better or worse, all of those domain objects," of common events logged in audit streams, says David Corlette, The Open Group's security forum project leader and a product line lead for identity and security event management products at Novell Inc.
"There has not been much discussion around how the classic network security auditing is going to play in the cloud arena," says Corlette. The principals behind the CEE and XDAS will be fleshing out their efforts over the coming months, he adds.
It's been nearly six months since Microsoft made its Windows Azure cloud service available. The company claims 10,000 customers are now using Windows Azure in some form, presumably for development efforts and pilots. Yet with the new Microsoft mantra of "all-in" for the cloud, IT will no doubt have a vested interest in the future of CloudAudit and whether vendors contribute to the effort in providing more disclosure of how customer data is handled.
Microsoft is not commenting on its future plans, if any, for CloudAudit, but Joel Sider, a senior product manager identity and security, in a blog posting re-iterated Microsoft's support for compliance frameworks.