SAN FRANCISCO -- Visibility and transparency into cloud providers' infrastructure and security controls -- which can be elusive -- is essential in order to tackle cloud computing compliance, panelists told attendees at RSA Conference 2011.
"The first key is getting visibility," said Dennis Morreau, senior technology strategist in the office of the CTO at RSA, the Security Division of EMC Corp. "That will let you decide what circumstances you want to avoid and what you need to mitigate."
Visibility into the hardware, hypervisor and application levels is the most important step for vendors and customers to take, said Christopher Day, chief security architect at Terremark Worldwide Inc. "If you can't see it, you can't fix it or kill it."
However, visibility and transparency into cloud provider environments is missing today, said Chris Hoff, director of cloud and virtualization solutions of the Security Technology Business Unit at Cisco Systems Inc. "We're told we shouldn't care what makes something work," he said.
For example, when it comes to a multitenant environment sitting on a hypervisor with an Infrastructure as a Service (IaaS) provider, he said, "How do I trust the hypervisor? We're told to just trust it."
Steve Orrin, director of security solutions at Intel Corp., said companies need to determine their requirements and be prepared to pay a cloud provider for enhanced security. "At the end of the day, it has to be driven by use case," he said. Hoff agreed, noting, "Not all clouds are created equal," and adding that it's important to examine the controls a provider can offer.
Day said Terremark introduced a hybrid cloud model so customers don't have to deploy on a shared multitenant architecture. "People think all things IT have to be cloud. Cloud is just another way to deliver IT services," he said.
In a separate panel on public cloud computing compliance, John Engates, CTO at Rackspace Hosting, said the hybrid cloud model has helped ease many of its customers' compliance concerns. For example, one customer keeps its big database servers with regulated data on dedicated machines and moves parts of less sensitive applications to the public cloud, he said. His company has a security team that talks with customers to identify "the right tools for the job," he said.
"Transparency is key," Engates added. "We're willing to sit down with you and talk through what we're doing with security and compliance. It's still up to the customer to sort through those options."
Dynamic cloud environments create security and compliance challenges and require automation of audit and security functions, Hoff said. "We have a long journey ahead of us. ... It's hard to figure out how we're going to deal with that agility."
Terremark's Day also noted that it's important to be aware of the threats in a cloud environment. "Adversaries are out there looking for complexity. … and clouds are very complex," he said.