Track changing cloud standards

Conceptually, cloud computing seems common. In fact, the simplicity of operational deployment and licensing is the most tempting capital of the cloud. But the problem is that after delving into it, you find it's not easy to follow the cloud, and there are a lot of questions to think about.

Cloud rules are pervasive in government regulations such as the Sarbanes Act (SOX) and EU data protection laws, as small as industry regulations, such as the payment Card Industry Data Security Standard (PCI DSS) and the American Health Insurance Portability and Accountability Act (HIPAA). You may have achieved internal control, but in the process of moving to a public cloud infrastructure platform or cloud-based application suite, you have to give up some control over the cloud provider.

That's a big worry for many auditors, CIOs and CEOs today. They are eager to know: how to vigorously develop the "cloud" while adhering to the cloud rules, to avoid reputation damage. Some analysts, suppliers and consultants have made the following recommendations on this issue:

1. Understand the impact of cloud on it workloads

When you evaluate cloud vendors, try to find vendors who can provide good strategies for user identity, access management, data protection, and incident response. This is the most basic compliance requirement. Then, once you have specific compliance requirements for future suppliers, you will likely encounter specific "cloud" challenges.

Data positioning is one of them. The EU Data Protection Act, for example, prohibits the outflow of personal information from EU residents. Therefore, your cloud provider must ensure that EU customer information is kept on European servers.

Multiple tenant and cleanup configurations also pose challenges. Public cloud providers employ a multi-tenant architecture to reduce server workloads while reducing costs. But that means sharing server space with other businesses. So you have to be aware of what protection the cloud provider can offer to avoid compromising with other businesses. Depending on how important the data is, you may need to encrypt it. For example, the American Health Insurance Portability and Accountability Act (HIPAA) requires that all user data be encrypted regardless of whether the data is being used.

As password identity authentication technology becomes more complex, it is increasingly challenging for users to clean up their configuration. Admittedly, the Federated Identity Management program helps users more easily log on to multiple "clouds," but it also makes configuration cleanup more tricky. "When employees leave the company, you want to click the button, you can automatically close their Windows account and all enterprise internal applications." At the same time, you want employees ' mobile phones to have no access to corporate information, and employees have no access to enterprise SaaS applications. "The automatic cleanup configuration has not yet been implemented at the same time as the cloud platform and the internal deployment system," said Tom Kemp, Centrify president of the Identity Management and compliance tool provider.

2. Tracking the changing cloud standards

Like it or not, you are the early adopters of the cloud. Which applications are migrated to the cloud? When do you migrate? Deepening the understanding of new cloud computing standards helps make better choices.

Today you can refer to SAS Type II and ISO 270,012 standards to comply with government and industry regulations on financial and information security. But these standards are not necessarily suitable for company development.

"Standards such as ISO 27001 and SAS 70 are effective but may be outdated." "When it comes to data security, identity management and administrator control, these standards are not very specific," said Jonathan Penn, vice president and chief analyst at Forrester Research, a market researcher. We have to let users know what's coming, and now it's almost a ' black box '. ”

Increased transparency is a major goal of the Cloud Security Alliance (CSA). CSA has been established for 3 years by users, auditors and service providers of the broad welcome, the main goal is to standardize the audit framework to enhance communication between users and cloud providers.

Currently, the GRC (monitoring, risk and compliance) Standard Suite is progressing well, with 4 major elements: Cloud Trust protocol, Cloud Audit, consensus assessment initiative and cloud Control matrix. Among them, the cloud control matrix lists the basic requirements that enterprises comply with their IT control domain standards, such as "Human resources-termination of employment relationship" in spreadsheet form. The Consensus Assessment initiative provides a detailed questionnaire on users and auditors ' specific expectations of suppliers in the area of control.

Based on CSA and other alliances, including industry groups, government agencies, the joint efforts of the next few years, the new standards will emerge. CSA has been formally aligned with ISO (International Organization for Standardization), the ITU (ITU), NIST (American National Standards and Technology Association) to help these organizations further refine their standards. As of the end of 2010, 48 industry groups have worked on cloud safety-related standards, according to research firm Forrester Research.

Conceptually, cloud computing seems common. In fact, the simplicity of operational deployment and licensing is the most tempting capital of the cloud. But the problem is that after delving into it, you find it's not easy to follow the cloud, and there are a lot of questions to think about.

Cloud rules are pervasive in government regulations such as the Sarbanes Act (SOX) and EU data protection laws, as small as industry regulations, such as the payment Card Industry Data Security Standard (PCI DSS) and the American Health Insurance Portability and Accountability Act (HIPAA). You may have achieved internal control, but in the process of moving to a public cloud infrastructure platform or cloud-based application suite, you have to give up some control over the cloud provider.

3. Focus on SLA

Regardless of your company's size and status, do not assume that the cloud supplier standard contract terms to meet your needs. A rigorous assessment is initiated from the supplier's contract inspection.

Michael Larner is a lawyer at the Hogan Lovells law firm, the advice he offers. Hogan Lovells Law Firm has extensive experience in cloud compliance and security issues. Larner often helps customers negotiate service level agreements with cloud vendors, saying that first from a risk-benefit analysis, understand whether the contract terms of the cloud supplier standard meet your compliance requirements. If compliance requirements are not met, it is up to you to decide what you need to do with the cloud vendor to increase your comfort level.

The size of your company can add weight to negotiation, but if small companies are cloud providers trying to expand new industries, small companies can also find corresponding bargaining weights. In short, don't be afraid to negotiate with a cloud vendor under any circumstances.

"There are too many companies who think that if they are facing a large cloud supplier, the cloud provider will not negotiate with them," Larner said. In fact, you may find that the cloud provider is willing to make an exception for you in order to improve your company's comfort level. ”

If the cloud is unfamiliar to you, you may find that starting with non-critical data is a good way to build confidence, Larner said.

But a rigorous assessment should not end with a full-scale SLA alone. Nirav Mehta, director of cloud computing strategy at RSA, says you should keep a close eye on cloud vendors. "Although there is a good SLA, what will happen to business continuity if the vendor's cloud services are interrupted?" Mehta believes that the best strategy for ensuring backup in the future is to use multiple clouds.

4. Security first

' To best understand the potential risks and benefits, you should discuss them with the security team as soon as possible, ' says Penn of Forrester.

"Safety and compliance issues can be put on the agenda in the right environment." "It's important for business executives to understand security issues and be able to weigh the risk level against the budget offered to mitigate certain risks," Penn said. ”

Migrating to the cloud by formally acknowledging the risk assessment function in the security Committee, it is possible to provide an opportunity for a more permanent alignment of security with the objectives of the enterprise. The security committee can help assess risks and provide budget recommendations that meet the strategic objectives of the enterprise.

You should also attach great importance to security services and security innovations provided by cloud provider partners. Dome9 is Amazon's partner, which solves cloud-related technical issues-DOME9 shuts down these ports when not using the cloud server's SSH and other ports, so that attackers who have access to them cannot log on to the cloud server.

"In the enterprise, these ports are open by default," said Dave Meizlik, vice president of sales at Dome9. But in the cloud when your cloud server does not need to work, you want to be able to close them. And you can't call the cloud provider every time the server shuts down to help you close the port.

Cloud computing may offer some risk, but when security innovations catch up, these risks will diminish. Even today, according to Forrester's Penn, "The security of cloud services does not worry most corporate security teams like other it trends such as smartphones or social media sprawl." Fundamentally, for cloud applications, security issues will gradually diminish without causing increasing concern. ”