Defining the Cloud. A Compliance Perspective. #RSA/Conference
Posted February 23, 2011, 3:23 pm by Matt Peterson
Matt Peterson
The 20th Anniversary of the RSA Security Conference is being held this week in San Francisco, CA. It's always exciting to see and hear what the latest security products and initiatives are for the upcoming year with all of the participating vendors. What you often find is an ebb and flow affect due to an ever changing threat landscape that drives the evolution of the security technologies we use. Additionally, organizations are continually looking to improve efficiencies and maximizing their security budgets. Enter cloud computing.
With much intrigue and focus being given towards cloud computing, and more importantly cloud security, how does an organization fully comprehend the definition of the cloud? Simply stated you have Infrastructure (IaaS), Platform (PaaS), and Software as a Service (SaaS) models. Further information regarding the definition of the cloud and cloud offerings may be researched through a variety of channels, I recommend the Cloud Security Alliance.
You can't secure what you don't know you purchased. It's a harsh statement to make, but one that directly reflects the lack of roles and responsibilities between the service provider and you, the consumer, in order to determine the security posture of the information or systems being hosted. This is also stated to ensure definition of common principles in cloud computing offerings. No matter what you intend to outsource or host in the cloud there becomes an interesting challenge of compliance and determining who is responsible for what. Insert the Service Level Agreement. Because an entity you choose to do business with is compliant doesn't guarantee your specific implementation is compliant. All providers should clearly define what they are responsible for and what you are responsible for. Do research! Ask your provider to provide you with documentation stating the scope for which they were assessed against in order to meet compliance. Then validate that the entity covers the services in which you are looking to host in the cloud. Once you have this information, you can then identify existing gaps and refined the service level agreement to ensure expectations are clearly defined and compliance can be achieved. Always keep in mind that you can outsource the work, but not the responsibility!
References: Cloud Security Alliance @ www.cloudsecurityalliance.org
You must be logged in to post comments.
Comments
No Comments