Cloud Computing Strategies for the CIOORLANDO, Fla.—Day 2 of the Cloud Security Alliance Congress 2011 ran the gamut, from cloud SLAs and cloud computing compliance to a riff on the late George Carlin’s famous comedy routine.
The two-day CSA Congress attracted about 550 attendees, including enterprise security pros and auditors, as well as consultants and cloud providers. Here’s a rundown of some of the show’s highlights Wednesday:
Cloud transforms CISO to vendor management role
Wendy Nather, research director in the enterprise security practice of The 451 Group, presented
a session on cloud
service-level agreements and the RFP process, dramatically entitled, “Security Fight Club: When
CISOs and Providers Go to the Mat.” Cloud customers need to tread carefully when it comes to cloud
RFPs, keeping it at a high enough level to make sure it can withstand the test of time but also
unambiguous so it can be enforced, said Nather, who spent 15 years as a CISO in both the public and
private sectors.
Cloud SLAs designed to ensure security need to account for details such as administrative access, multitenancy problems
Requires Free Membership to View
, insider
misbehavior and exceptions, she said. Nather listed common arguments that customers can hear
from their provider if they find security problems with an application, including, “This wasn’t in
the requirements,” “We’ll fix it if you pay us,” and “If you remove that backdoor or change the
root password, we can’t support you.”
In negotiating a cloud SLA, it’s better to avoid the term “best practices,” because a provider may respond that no one else does it, she said. Instead, describe the security requirements as those of the organization that must be met.
Increasingly the role of the CISO is turning into one of vendor management, Nather said. “The CISO ends up managing security by contract.”
Microsoft cloud ISO 27001 compliant
Microsoft described how it goes about ensuring its cloud infrastructure is compliant. Mark
Estberg, senior director of governance, risk and compliance management for online services security
and compliance at Microsoft, said all of the company’s online and cloud services, including Office
365, Hotmail and Windows Azure, are built on a foundational level based on the ISO 27001
standard.
The company brings in internal and external auditors to receive certifications, including SAS 70 Type II, PCI DSS and FISMA, he said. More than 600 control activities map to 1,500 audit requirements such as HIPAA and PCI DSS. In addition to federal regulations such as HIPAA, Microsoft must also meet various state and international privacy laws.
However, Estberg cautioned that customers still have compliance obligations. “At the end of the day, I can’t meet your compliance needs,” he said. “You need to do it yourself."
Manageability is the worst dirty word of all, with security everywhere but consistent management nowhere.Christofer Hoff, a founding member of the CSA and cloud computing
Manageability: Cloud’s four-letter word
Christofer Hoff, a founding member of the CSA and cloud computing thought leader wrapped up the
conference with a session inspired by Carlin’s “Seven Words You Can Never Say on Television.”
Hoff’s seven dirty words of cloud security: scalability, portability, fundability, compliance,
cost, manageability and trust. All of the words, he said, describe cloud security issues the
industry is struggling with as the computing paradigm shifts.
“The differences in delivery and deployment models means it’s a multidimensional problem,” he said.
Manageability is the worst dirty word of all, with security everywhere but consistent management nowhere, he said. Trust models are a farce with no consistent way to compare them. “PGP, DNS and certificate authorities are starting to show cracks because of fragile trust models,” he added.
There are ways to address all the cloud security problems the industry’s dealing with, Hoff said, offering advice for each. The cloud offers a “fantastic opportunity for us to do things differently,” he said.
“I hope at the end of the day we’re not overcome and scared by them [the seven dirty words],” he said. “I hope we’re talking success rather than failure."
Join the conversationComment
Share
Comments
Results
Contribute to the conversation