The two-day CSA Congress attracted about 550 attendees, including enterprise security pros and auditors, as well as consultants and cloud providers. Here’s a rundown of some of the show’s highlights Wednesday:
Cloud transforms CISO to vendor management role
Wendy Nather, research director in the enterprise security practice of The 451 Group, presented a session on cloud service-level agreements and the RFP process, dramatically entitled, “Security Fight Club: When CISOs and Providers Go to the Mat.” Cloud customers need to tread carefully when it comes to cloud RFPs, keeping it at a high enough level to make sure it can withstand the test of time but also unambiguous so it can be enforced, said Nather, who spent 15 years as a CISO in both the public and private sectors.
Cloud SLAs designed to ensure security need to account for details such as administrative access, multitenancy problems, insider misbehavior and exceptions, she said. Nather listed common arguments that customers can hear from their provider if they find security problems with an application, including, “This wasn’t in the requirements,” “We’ll fix it if you pay us,” and “If you remove that backdoor or change the root password, we can’t support you.”
In negotiating a cloud SLA, it’s better to avoid the term “best practices,” because a provider may respond that no one else does it, she said. Instead, describe the security requirements as those of the organization that must be met.
Increasingly the role of the CISO is turning into one of vendor management, Nather said. “The CISO ends up managing security by contract.”
Microsoft cloud ISO 27001 compliant
Microsoft described how it goes about ensuring its cloud infrastructure is compliant. Mark Estberg, senior director of governance, risk and compliance management for online services security and compliance at Microsoft, said all of the company’s online and cloud services, including Office 365, Hotmail and Windows Azure, are built on a foundational level based on the ISO 27001 standard.
The company brings in internal and external auditors to receive certifications, including SAS 70 Type II, PCI DSS and FISMA, he said. More than 600 control activities map to 1,500 audit requirements such as HIPAA and PCI DSS. In addition to federal regulations such as HIPAA, Microsoft must also meet various state and international privacy laws.
However, Estberg cautioned that customers still have compliance obligations. “At the end of the day, I can’t meet your compliance needs,” he said. “You need to do it yourself."
Manageability is the worst dirty word of all, with security everywhere but consistent management nowhere.
Christofer Hoff, a founding member of the CSA and cloud computing
Manageability: Cloud’s four-letter word
Christofer Hoff, a founding member of the CSA and cloud computing thought leader wrapped up the conference with a session inspired by Carlin’s “Seven Words You Can Never Say on Television.” Hoff’s seven dirty words of cloud security: scalability, portability, fundability, compliance, cost, manageability and trust. All of the words, he said, describe cloud security issues the industry is struggling with as the computing paradigm shifts.
“The differences in delivery and deployment models means it’s a multidimensional problem,” he said.
Manageability is the worst dirty word of all, with security everywhere but consistent management nowhere, he said. Trust models are a farce with no consistent way to compare them. “PGP, DNS and certificate authorities are starting to show cracks because of fragile trust models,” he added.
There are ways to address all the cloud security problems the industry’s dealing with, Hoff said, offering advice for each. The cloud offers a “fantastic opportunity for us to do things differently,” he said.
“I hope at the end of the day we’re not overcome and scared by them [the seven dirty words],” he said. “I hope we’re talking success rather than failure."