Page 2 of 2
Security has consistently been a major barrier to cloud adoption. By delivering a cloud offering that helps clients address their security needs, vendors can gain differentiation and a strong market position.
Many common IT security principles, such as applying defense in depth, managing logs, maintaining patches and implementing sound change management policies and procedures, also apply in the cloud.
But the cloud also presents many unique security challenges. That is particularly true of multi-tenant cloud environments, where the data of different organizations and teams can comingle on shared computing resources. Consider one example: To pursue a case, an investigative agency is granted a subpoena to search a corporation’s files, including those held in their cloud provider’s environment. By granting this agency access to their multi-tenant servers, the cloud provider may ultimately be handing over the files of a number of clients, which could have security, privacy, compliance, and contractual implications. Those are the kinds of scenarios that keep security professionals leery of moving to the cloud.
Another factor to consider is compliance, the range of mandates in place, and their different demands. The scope and complexity of addressing common compliance mandates in the cloud can vary substantially. On one end, addressing a mandate like Sarbanes-Oxley is fairly straightforward. Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is more challenging. The Health Insurance Portability and Accountability Act (HIPAA) is at the far end of the spectrum. Compared to PCI DSS, which governs the use and security of specific data sets, a wide range of assets—from x-rays to forms—are regulated in a health care environment. This makes the task much more complex. When it comes to HIPAA and the cloud, many organizations are opting to set up dedicated, virtual private clouds or private clouds to address the requirements.
As organizations set about implementing compliance and security infrastructures, they should be realistic, and not take on too much too quickly. It’s good to focus on a specific mandate, establish success, and build from there. It’s also important to leverage industry standards to ensure that security and compliance services are sustainable. PCI DSS is very prescriptive, and many of its policies represent best practices, regardless of whether an organization is regulated by the standard. However, most service providers would be well served by using the ISO/IEC 27000 standard, which provides an even better operational baseline to address many compliance objectives over time. As they’re building out these security and compliance services, vendors will also need to be aware of the Statement on Standards for Attestation Engagements (SSAE) No. 16, a standard for reporting and validating the processes in place. SSAE 16 supersedes the earlier standard, Statement on Auditing Standards (SAS) No. 70.
Stay tuned for strategy #2 on Friday.
<< Previous
|
1
|
2
SHARE THIS ARTICLE
