Compliance in the Age of Cloud

Transcription

1 ANALYST BRIEF Compliance in the Age of Cloud THE GOOD, THE BAD, AND THE UGLY Author Andrew Braunberg Overview Cloud is a nebulous term, but fundamentally, the term denotes that IT resources are delivered and consumed as a service. 1 There are many types of cloud, including infrastructure, software, platform, storage, and networking. While security and compliance tend to be the top concerns of businesses considering the adoption of cloud services, there are also advantages to moving to the cloud: such a move can introduce automation to compliance functions, for example, security auditing of technology control points can become simpler, quicker, and more scalable. As cloud markets mature and expand, the question of how to ensure compliance in the age of the cloud becomes more urgent. In particular, the cloud delivery model of software as a service (SaaS) has become a mainstream method for delivering enterprise business functionality. The global SaaS market is currently estimated to be approximately US$22 billion (out of a total cloud market of US$28 billion to US$30 billion). 2 SaaS offerings, such as Salesforce.com or Box, deliver capabilities, such as customer relationship management (CRM) or online file storage, which are available through simple web interfaces. In general, these services are popular because they are scalable, extensible, available through the Internet, and centrally managed. While SaaS offerings provide a fully formed application, cloud delivery options also include platform as a service (PaaS), on which customers can host their own applications. The second largest cloud segment, however, is infrastructure as a service (IaaS), which provides the most flexibility for customers but also calls for customers to take the most responsibility. IaaS requires that customers configure their own operating systems, networking, storage, and application stacks. These different cloud delivery models place significantly different security and compliance requirements on customers. Although SaaS providers are responsible for more overall security than are IaaS providers, none of these delivery models absolve enterprises from ownership of some compliance and security tasks. Further, from a compliance perspective, an enterprise is always ultimately responsible for its customer data, regardless of where it resides. Ironically, while most of the discussion around cloud and security/compliance examines the concerns, there are numerous benefits to the cloud from both the security and compliance perspectives. 1 NSS Labs uses the NIST definition of cloud computing: real- market- size- of- public- cloud- services/

2 NSS Labs Findings Being compliant does not equate to being secure. New security tools are required to leverage cloud technology. Many existing security solutions will not provide the same level of protection when deployed in the cloud. Legacy enterprise applications must be modified for use in cloud environments. Transitioning to a fully automated data center allows a more granular level of security controls on a per- machine and per- app or per- role basis and allows for security controls to be adapted dynamically. There is no cloud service deployment in which enterprises are not at least jointly responsible for some security controls. NSS Labs Recommendations Enterprises should build test environments with proven reference architectures. New cloud- based deployments should have extended pilot test phases to ensure that organizations are able to operate and audit according to established security policies. Enterprises should assess and modify security policies to account for new deployment models. Administrators should implement strong single sign- on (SSO) authentication for all access to traffic routed through a cloud- based reverse proxy. Enterprises must fully test all applications before moving them to production environments. Enterprises should evaluate virtual security appliances to maintain congruence between physical and cloud deployments, since these appliances can extend an enterprise s existing compliance controls into the cloud. 2

3 Analysis The widespread use of cloud service models in production environments has raised concerns associated with demonstrating corporate- wide compliance with data protection mandates. This is particularly concerning because many organizations do not know how much of their compliance- related data is migrating to the cloud. 3 These concerns have driven cloud service providers, industry groups, and compliance organizations (for example, the PCI Security Standards Council) to address more fully the compliance issues associated with the adoption of cloud services. Important compliance regulations include: Revised International Capital Framework (Basel II) Gramm Leach Bliley Act (GLBA) Health Insurance Portability and Accountability Act, (HIPAA) North American Electric Reliability Corporation Standards (NERC) Payment Card Industry Data Security Standards (PCI- DSS) Sarbanes- Oxley Act of 2002 (SOX) Federal Risk and Authorization Management Program (FedRAMP) Federal Information Security Management Act of 2002 (FISMA) International Traffic in Arms Regulations (ITAR) International Organization for Standardization (ISO) Federal Information Processing Standards (FIPS) American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) Reports Federal Office for Information Security (BSI) Germany Financial Services Roundtable BITS 4 Shared Assessments Agreed Upon Procedures (AUP) and Standardized Information Gathering (SIG) Control Objectives for Information and Related Technology (COBIT) European Network and Information Security Agency (ENISA) Information Assurance Framework (IAF) AICPA and Canadian Institute of Chartered Accountants (CICA) Generally Accepted Privacy Principles (GAPP) Health Information Technology for Economic and Clinical Health (HITECH) Act Jericho Forum National Institute for Science and Technology (NIST) New Zealand Information Security Manual (NZISM) Trusted Cloud Initiative (TCI) Reference Architecture BITS is not an acronym 3

4 The Good A shift to cloud services introduces several important potential security benefits, including: 5 Staff specialization The scale of cloud providers allows for highly specialized security and compliance staff Platform strength Automated configuration management, vulnerability management, audit, and patch Built- in redundancy, backup, and disaster recovery Reliance on lightweight endpoints Less complex and smaller attack surface Data concentration Less data must be stored on easily lost or stolen mobile devices Perhaps the most important compliance- related improvement associated with the use of cloud services is that the automation enabled can be applied to the monitoring and management of security controls. Automation also enables the rationalization of compliance requirements and control assessment processes. This in turn can reduce the costs of compliance monitoring and testing. Enterprises can leverage cloud architectures to: Establish a central command and control (i.e., unify information technology [IT] controls) Leverage automated software- machine controls to replace traditionally manual human- machine controls Provide more granularity for access controls Log all activities (i.e., provide efficient audit trails) Configure log file integrity Automate all system builds (for example, automatically capture events and configuration changes) Centralize configuration management (for example, no manual changes are permitted for individual systems) Since everything is automated, it is simpler to add more complex security controls. Tasks such as certificate and key rotation can also be performed more frequently. Today, most organizations share just a few keys amongst many servers and administrators, and the keys are not rotated once a server is decommissioned or an administrator leaves the organization. This is poor security practice. Moving to a fully automated data center allows for more security controls on a per- machine and per- app or per- role basis and facilitates the dynamic adaption of security controls. Cloud services are built from the following components: Data Applications Control and management API Physical and virtual machine images with various operating systems Active physical and virtual machine instances built from images Physical and virtual servers and network devices Hypervisors Processing/memory Block, file, and object storage Physical facilities 5 4

5 The IaaS, PaaS, and SaaS service models are differentiated by the manner in which their cloud service components are bundled and managed. In general, customers gain flexibility but take on more responsibility when moving from SaaS, to PaaS, to IaaS (see figure 1). One of the main reasons for leveraging cloud solutions is that services typically performed by a specialized team can now be automated and transferred to operators and developers. As more IT functions are automated, administrators can monitor performance and load testing on every service and for every change that occurs as a result of these performance and load testing capabilities being integrated into the software- defined data center. This allows for stress testing of systems during non- peak usage periods and ensures expected behavior at load is predictable and will work at scale. Automation is also a cost saver as the amount of traditional data center administration is reduced. The goal for an organization adopting cloud services is to establish a central command and control and then leverage automated software- machine controls to replace traditionally manual human- machine controls, which would enable logging of all activities. Log file integrity is particularly important in this scenario; therefore, automated system builds and centralized configuration management must be in place. Automate Everything or Automate Nothing? If an enterprise cannot map (and automate) to the cloud the security controls for its existing legacy applications, it should seriously consider either not moving those applications to the cloud or evaluating other security controls. Unless all essential controls are automated, the enterprise s risk of exposure to compromise will be increased. Security is often an afterthought as IT architectures become increasingly complex, and as control is transferred to third parties (internal cloud teams or public cloud providers). The best cloud security solutions deny even command line access (where back doors can remain open) and force programmatic access via APIs for all aspects of the cloud infrastructure management. Enterprises utilizing homegrown cloud solutions are trusting development teams with the protection of their data. The community- driven aspect of open- source cloud solutions can be a weakness if the necessary security controls are not in place. The technology exists today to build a secure and compliant cloud architecture, but such designs are not mature, and there is uncertainty regarding their ease of implementation. Replacing a traditional DMZ firewall perimeter architecture with SSO, Security Assertion Markup Language (SAML), and reverse proxies can appear counterintuitive to the typical enterprise architect or security team. The Bad Generally, the use of cloud services can be a net security positive for businesses, particularly small and medium- sized businesses, which might not have dedicated security resources in house, and which can outsource security by adopting cloud services. Because cloud services can improve security, they can also improve privacy and compliance. Conversely, however, the use of cloud services can also raise security and compliance concerns for several reasons, including: Complexity of the infrastructure required to maintain these services as compared to a traditional enterprise data center (for example, new attack surfaces such as hypervisors are introduced) Public cloud services create shared multitenant environments, which introduce the potential for lateral data loss and resource sharing challenges 5

6 Cloud services that leverage the open Internet for delivery of services are potentially more insecure, exposed, and unreliable. Cloud service providers maintain external control of corporate data Organizational changes are required to assist applications in moving smoothly to the cloud Initial up- front investment is required to implement the new automated security controls As with any new technology, there is considerable fear, uncertainty, and doubt (FUD) from the vendors that stand to lose revenue as new tools are introduced. How do organizations know which solutions will function as advertised? From a customer s perspective, one of the most compelling benefits of the cloud is its ability to successfully conceal the complexity behind the services delivered. However, while that complexity is largely hidden from end users, it is an expanded and a well- understood target for attackers. Unfortunately for enterprises, not all security tools currently function as they should, and they are often complicated to set up, configure, and operate. Similarly, legacy enterprise apps cannot simply be ported to the cloud. A fundamental concern over the use of cloud services is that it extends the scope of infrastructure that falls under a compliance mandate, an issue further complicated by the fact that the cloud infrastructure is managed by the cloud service provider. While cloud service providers have begun to demonstrate real expertise in compliance management, customers must be further educated on the way in which compliance responsibilities, particularly management of security controls, are split between customers and providers. PCI Data Security Standard (DSS) The PCI Data Security Standard (DSS) requirements demonstrate the way in which responsibility for security controls can be shared between a cloud service provider and its customers. The PCI DSS mandates a dozen security controls on its merchants to protect cardholder data. A serious concern with compliance in the cloud is over the allocation of responsibility for the different security controls. Enterprises that utilize SaaS rely much more on cloud service providers for management security controls than do enterprises using IaaS, but there is no cloud service deployment in which enterprises are not at least jointly responsible for some security controls. The PCI Security Standards Council has issued guidelines 6 concerning the management of PCI DSS security controls during deployment of cloud architectures. The PCI DSS aims to build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access controls measures; regularly monitor and test networks; and maintain an information security policy. To meet these goals, the PCI DSS mandates security controls 7 in twelve general areas. The PCI Security Standards Council has clearly defined responsibility these controls in each of the cloud service models (see figure 1)

7 PCI DSS Requirement IaaS PaaS SaaS Firewall configuration Joint responsibility Joint responsibility Cloud service provider (CSP) responsibility Password management Joint responsibility Joint responsibility CSP responsibility Cardholder data protection Joint responsibility Joint responsibility CSP responsibility Encryption of data in motion Customer responsibility Joint responsibility CSP responsibility Use of antivirus software Customer responsibility Joint responsibility CSP responsibility System and application security Joint responsibility Joint responsibility Joint responsibility Restrict access cardholder data Joint responsibility Joint responsibility Joint responsibility Assign a unique ID to each person with computer access Joint responsibility Joint responsibility Joint responsibility Physical access control CSP responsibility CSP responsibility CSP responsibility Track and monitor network access Joint responsibility Joint responsibility CSP responsibility Regularly test security systems Joint responsibility Joint responsibility CSP responsibility Maintain security policies Joint responsibility Joint responsibility Joint responsibility Figure 1 Responsible Party for PCI DSS Requirements 7

8 The Cloud Security Alliance (CSA) has created a Cloud Controls Matrix 8 that maps recommended security controls against many US and international compliance regimes. This matrix is available in a spreadsheet whereby commonality in these controls can be determined across the most important regulations, including PCI DSS. Cloud Provider Security Cloud service providers increasingly are paying attention to the compliance requirements of their customers. For a review of the security and compliance efforts of Amazon Web Services (AWS), see the Analyst Brief Securing Amazon It s a Jungle Out There. AWS is not alone; VMware 9 also offers numerous additional security and compliance solutions. These products/services fall into three groups: end user computing (for example, identity management, endpoint security, authorization); cloud applications (for example, data security, configuration management, white listing); and cloud infrastructure (for example, network security, configuration and log management, and platform security). VMware also works with third- party security vendors to address additional controls around hardware, authentication, logging and monitoring, endpoint security, encryption, and availability. The Ugly As the use of cloud services has become mainstream, addressing compliance when using those services has become a top- of- mind concern for businesses. While this is important because compliance is a legal and business requirement for many organizations, being compliant does not equate to being secure. Compliant organizations are not immune to breach, but compliance can provide a false sense of security. Legal requirements for compliance provide an incentive to prioritize these efforts, and unfortunately, compliance and security teams sometimes must compete for the same resources. Point- in- time snapshots of compliance are useful, but they are no substitute for the continuous monitoring of security and for breach detection efforts. The massive breach of the US retailer Target is a timely example of this. The general manager of the PCI Security Standards Council, Bob Russo, responded to the Target breach by noting that (PCI DSS requirements) are the bare minimum things you should be doing. Noting the important distinction between compliance and security, he said, You can be in compliance today and be totally out of compliance tomorrow because of a failure to implement some required small security measure. This is really about security. Not about compliance. 10 The broad adoption of cloud services also requires changes in corporate strategic thinking. For example, budgets must be adjusted as costs for IT investments change from a predominately capital expenditure (capex) model to a predominately operational expenditure (opex) model. 8 controls- matrix- v3/ 9 Approach- to- Compliance.pdf

9 The Snowden Effect Compliance is also likely to be complicated by Edward Snowden s revelations last year regarding the National Security Agency s (NSA s) ability to gather data residing on cloud service infrastructure. Several market watchers predict that US cloud service providers could lose between 10 and 20 percent of the foreign market in the next few years. 11 The leaks could further complicate business for cloud providers by spurring efforts to enact data residency laws. Data residency is already a concern for cloud providers. Because it is often impossible to know (geographically) where data in the cloud is being stored at any given time, it can be difficult for customers of cloud services to demonstrate compliance with data movement laws. This is because the laws where the data was collected are binding, and these laws may restrict data movement. This can create legal complexities and complicate compliance reporting. Customers can of course negotiate service agreements, but these restrictions typically come at higher cost because they limit a cloud service provider s ability to shift workloads. 12 More widespread data residency laws would further complicate this concern cloud- computing- costs.pdf

10 Reading List Securing Amazon It s a Jungle Out There. NSS Labs amazon- web- services- part- 1 They Call It Stormy Monday. NSS Labs call- it- stormy- monday 10

11 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e- mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 11