There is no doubt that cloud computing is dominating today's IT conversation among C-level security executives. Whether it's due to the compelling cost saving possibilities in a tough economy, or because of perceived advantages in provisioning flexibility, auto-scaling, and on-demand computing, CSOs are probing the capabilities, costs and restrictions of the cloud. At the same time, security and compliance concerns are at the forefront of issues potentially holding large enterprises back from capitalizing on the benefits that cloud computing has to offer.
Some of the most frequently asked questions among CSOs today about the cloud include: "Is using cloud computing services advisable for applications and data that are subject to compliance requirements? Is compliance in the cloud even possible? And what standards are in place already to avoid the stormier implications of cloud?"
Not surprisingly, any answer to these questions right now has to start with "It depends...."
Coming to a meaningful answer requires an understanding of the context in which the question is asked. The kind of cloud service under consideration -- public or private? IaaS, PaaS, or SaaS? - matters greatly in meeting compliance requirements. The individual compliance regulations and specific requirements are also key to understanding whether compliance can be achieved in a cloud computing deployment. This article examines the closely related compliance challenges that organizations face when contemplating cloud computing.
Blanket statements regarding compliance and cloud computing aren't possible, because there is no such thing as "the cloud". There are a number of different types of cloud computing services, and there are varying types of cloud infrastructures that can be created for single enterprises, and for groups of similar organizations.
A recent NIST paper (.doc) recognizes three service models: Infrastructure as a Service (IAAS); Platform as a Service (PAAS); and Software as a Service (SAAS). Under this, NIST further describes four different deployment models. These include private cloud, community cloud, public cloud and hybrid cloud.
The different service models and deployment models allow varying degrees of customer control, and place different obligations and responsibilities upon both customers and service providers with respect to security and compliance. In private clouds, for example, the organization building them is free to apply whatever set of controls they see fit.
In public, community, or hybrid clouds, the customer or user organization does not typically have this degree of control. In addition, the degree of control flexibility afforded the user organization for an IaaS service will generally be a lot higher as compared to a SaaS service. With the higher degree of flexibility offered to the customer organization by an IaaS service comes a higher degree of responsibility for security and compliance for the customer as well.
The type of cloud computing service and the deployment model have impacts beyond security and compliance. A recent whitepaper from the Jericho Forum entitled Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration [PDF link, or click here for non-pdf article on CSOonline.com] identifies some other critical dimensions for analyzing the security of cloud computing, including: internal/external; perimeterised/de-perimeterised; proprietary/open; and outsourced/insourced. Some of these dimensions bring additional concerns such as vendor lock-in, portability of data and applications, interoperability, data privacy, and data repatriation. These dimensions also affect the capability of a given cloud formation to satisfy compliance obligations.
While many of the benefits of cloud computing apply across different cloud service models and deployment types, the ability of the various kinds of cloud computing to address security concerns and to meet compliance obligations varies widely. For private clouds, building controls into the cloud that are necessary to enable compliance is fairly straightforward. For public cloud services, however, compliance is a more challenging endeavor.
Compliance Regulations and Cloud Computing Services
Another significant consideration when thinking about compliance and cloud computing are the specific laws and regulations, and the related regulatory guidance and requirements that affect an organization.
For some of the key compliance regulations, including HIPAA, GLBA, and PCI DSS, careful analysis of the specific requirements is required, along with a solid understanding of the security controls put in place by the cloud service provider. Herein lies a challenge, as many public cloud service providers are not very transparent in providing information to their customers describing the specific security controls deployed.
This means that organizations considering using cloud services should perform a gap analysis between the specific requirements identified in relevant regulations, and the set of controls provided by the cloud service provider. For IaaS cloud services, customers may be able to close gaps by deploying specific security controls on their virtual infrastructure.
For example, software firewalls and anti-malware software may be deployed as needed by customers in IaaS virtual machine instances to satisfy compliance (and security) requirements. In the case of SaaS cloud services, customers generally have far less ability to implement specific security controls, and must instead use the set of controls delivered by the cloud service provider.
It is also worth noting that satisfying many compliance requirements will require regularly assessing the control state for the cloud service at periodic intervals. For example, PCI DSS requires quarterly vulnerability scans be conducted for systems. Even performing vulnerability scans on public cloud services may be an issue, as some cloud services limit the customer's ability to do this in their contract language.
The Cloud Security Alliance's forthcoming version 2 guidance will provide extensive discussion of compliance and audit concerns related to cloud computing, along with many other areas of security concern.
Conclusions and Guidance
Using cloud computing services for data and applications subject to compliance regulations requires a high degree of openness and transparency on the part of the cloud service provider. Customer organizations considering the use of cloud services need to really think through what use cases make sense today, closely review contracts and service level agreements, really understand the compliance requirements and how they are met (or not met) by the cloud service. They should also insist on "right to audit" clauses and general transparency on the controls in use.
Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific regulations and industries, but for now--caveat emptor!
Jim Hietala, CISSP, GSEC, is Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities. He was co-leader of the group that developed the compliance and audit content for the forthcoming Cloud Security Alliance version 2 guidance. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He blogs at www.compliancefocus.com.