Cloud Compliance Catch-22Cloud Provider Compliance Isn't Synonymous with Your Own
The fact of the matter is that when you and I say "cloud," we may be thinking of two very different things. Partly this stems from the adage "what's old is new again" (welcome back, centralized computing) and partly from a lack of common definition or standards to provide a ready frame of reference.
Thankfully, the National Institute of Standards and Technology is on the case. With its release of Special Publication 800-146 [see NIST Issues Long-Awaited Cloud Guidance], the term "cloud" is defined as a service that maintains a pool of hardware resources to maximize service and minimize cost while providing a resource efficiency that permits hardware refresh without impact to its users. Though a mouthful even in paraphrase, this definition should instantly summon references that fit the model and industry terminology such as "high availability" that prove nearly synonymous, albeit not quite as catchy.
For too long, cloud service providers have expected organizations to faithfully trust that their data are being adequately protected.
SP 800-146 further details that cloud service may be provided in private, community, public and hybrid architectures. Additionally, software-as-a-service, infrastructure-as-a-service and platform-as-a-service environments may be considered to be cloud service offerings.
Nevertheless, SP 800-146 is more targeted toward adoption considerations. Apart from references to SP 800-53, cloud-specific security controls are largely lacking in SP 800-146. For those financial institutions affected by the FFIEC's public statement on cloud computing, the effect should be strangely familiar.
Filling the Gap
Fortunately, the Cloud Security Alliance has created its Cloud Controls Matrix to fill the gap. The CCM includes useful mappings to standards, regulations and frameworks such as COBIT, ISO/IEC 27001, HIPAA, HITECH, SP 800-53 [see NIST Updating Catalog of Controls] itself, and even the Payment Card Industry Data Security Standard version 2.0.
When viewed holistically, the combined results of SP 800-146 and the CCM are welcome steps in the right direction. For too long, cloud service providers have expected organizations to faithfully trust that their data are being adequately protected, without these organizations having the ability to independently assess effective controls. Worse, this Wizard of Oz-like ruse has been largely perpetuated as being in customers' best interest, with little flexibility or cooperation provided to those who would dare question what exactly might lie behind the curtain.
Consider the vaunted Amazon cloud service. Within its frequently asked questions the reader finds, concerning PCI DSS compliance, that "a merchant can obtain certification without a physical walkthrough of a service provider's data center if the service provider is a Level 1 validated service provider such as Amazon Web Services, or AWS. A merchant's quality security assessor can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers."
Now, this is despite PCI DSS version 2.0 requirement 9 validation requirements instructing that the qualified security assessor verify physical controls and that the QSA and merchant/service provider annually verify storage location security. Perhaps, should Amazon be willing to provide report on compliance content detailing how its scope of assessment applies to each merchant/service provider's defined cardholder data environment scope as well as its own so as to permit control evaluation, compliance could still be had. But what are the odds of this, given that Amazon won't permit a simple walkthrough, let alone a customer site visit?
Where are the Data?
Then again, as Amazon states on its AWS Security and Compliance Center page, "Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers." Therein lies perhaps the most puzzling of questions for cloud-service adopters: Where exactly are your data? One can only assume, based on Amazon's documentation, that the secrecy is "a security thing."
In the end, it truly comes down to a case of buyer beware. If your cloud service provider lacks in transparency and cooperation when it comes to supporting your organizational compliance needs, you had better think twice about what exactly is appropriate use. If you expect to store your cardholder, protected health, non-public personal information or other sensitive data in the cloud, you must understand that cloud provider compliance is not synonymous with your own and that most every multi-tenant environment will present troublesome compliance challenges.
As such, organizations may be best served by further aligning their adoption efforts with those of FedRAMP, in which all but private cloud deployments are restricted to those services with systems ranked low to moderate by NIST 800-53 version 3. Practically speaking, that means anything but those systems that process, store or transmit sensitive data.
Providing the Burden of Proof
Finally, you may also wish to consider the following from the PCI Security Standards Council's June 2011 Information Supplement: PCI DSS Virtualization Guidelines [see PCI: New Guidance Addresses Risks], wherein it states, "In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. ... These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."
Peter Spier is president of the ISACA Western New York Chapter and a senior risk management consultant at Fortrex Technologies. Spier earned a graduate degree from Syracuse University's School of Information Studies. He also holds Certified Information Security Manager, Certified Information Systems Security Professional, Project Management Professional, Qualified Security Assessor, Information Technology Infrastructure Library Foundation version 3 and HITRUST CSF Assessor certifications.