One of the most pressing challenges faced by organisations looking to leverage cloud services is the issue of transparency. How can they assess the security of cloud service providers (CSPs), and how can they determine the reputation and reliability of a given CSP?
The Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR), which launched last year, is an attempt to make CSP security and operations more visible and open. However, there are other efforts underway by industry groups to improve cloud transparency that organisations should familiarise themselves with. They take a different approach towards making CSP security and operations more visible and open.
Cloud transparency: Open Data Center Alliance
The Open Data Center Alliance (ODCA), an independent IT consortium, provides guidance on standards, usage models, and other areas related to data center operations and cloud computing. Its model is community-driven, soliciting input from ODCA members to develop specific usage models that provide detailed considerations on data center challenges and use cases, particularly those focused on cloud infrastructure. One of the core tenets of the ODCA focus is interaction with and support from both cloud subscribers and providers, with a goal of creating “work domains” that factor into the usage models. These include security (provider assurance and security compliance monitoring), regulation (regulatory frameworks and carbon footprint), management, service (service catalogs and units of measurement), and infrastructure (virtual machine interoperability and Input/Output (IO) control). The domains encompasses many IT organisations’ most pressing concerns with regard to security and availability in both internal and external cloud environments, and updates to the usage models are released regularly.
Although ODCA does not have a mechanism for “self-reporting” transparency like STAR, there are several specific usage models that directly contribute to more provider transparency. The first is adoption of the Security Monitoring usage model, which calls for the provider to present a Web-based interface to subscribers detailing the status of a wide variety of security controls, including antivirus definitions, intrusion prevention system (IPS) events and firewall logs. The current model explicitly states that ongoing work is needed to align more closely with CSA Cloud Controls Matrix and other controls frameworks. The second model that enables transparency is the Provider Assurance model, which requires cloud providers adhere to compliance regulations and controls defined by standards bodies like NIST, the PCI Security Standards Council and ISO, and that they enable dashboards described in the Security Monitoring model. CSPs can attain four levels of assurance:
- Bronze: Basic security, like antivirus, firewalls, vulnerability management, security event monitoring and physical security access restrictions.
- Silver: Enterprise Security Equivalent, including network intrusion prevention, event logging, continuity plans and more robust security documentation.
- Gold: Financial Organization Security equivalent, which includes penetration testing capabilities, multifactor authentication, storage encryption and physical server isolation.
- Platinum: Military Organization Security equivalent, with stronger encryption and removal of cloud provider administrator access.
Specific categorical requirements are described for each assurance level, as well. For example, “Network and Firewall Isolation” describes the following controls and processes at each level:
- Bronze: The CSP manages all firewall rules with no consumer input.
- Silver: The CSP manages firewall rules with some input and advice from the consumer. Also, the CSP offers network segmentation between logical network tiers.
- Gold: The firewall rules are managed by the subscriber, with administrative maintenance of firewalls provided by the CSP. Network segmentation between logical tiers is offered, and application-layer protection is available, as well.
- Platinum: The CSP has no access to firewalls at all, as the consumer manages everything. Network segmentation between logical tiers is offered, and application-layer protection is available as well.
The Cloud Standards Customers Council
Although not directly contributing to transparency efforts like STAR and the ODCA, the Cloud Standards Customer Council (CSCC) is focused on providing strategy and tactical changes and recommendations for cloud adopters, primarily in the form of use cases and general guidance for cloud adopters. Its current use case document includes high-level security guidance for specific control areas like asset management, cryptography and key management, and network security. Some simplistic use cases are also described. Currently, the CSCC does not appear to offer a registry for assurance or transparency purposes, but does have a significant member list that includes both providers and large consumers.
CSCC is also closely aligned with the Open Cloud Manifesto, a movement with over 400 supporters that seeks to foster more open standards, dialogue and general transparency in communicating about cloud controls and configuration standards. Over time, the CSCC will likely be a significant contributor to cloud transparency, and could lead to improved participation in programs like STAR.
As more organizations look to transition to hybrid and public cloud models, the need for cloud provider transparency will only become more pressing. It remains to be seen how efforts to gain cloud transparency will succeed. To date, only three organizations have submitted information for CSA’s STAR: Microsoft Office 365, Mimecast and Solutionary. This suggests that many cloud providers may not be ready to submit this level of detail yet, or there may not be a lot of community support or knowledge about STAR yet. Nonetheless, cloud users can look to organizations like the CSA, ODCA and CSCC for useful guidance for both monitoring and reporting on the state of provider controls.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualised infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualisation security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.