1. No category

> White Paper
Riders on the Storm Cloud:
How to Reduce Risk and Ensure
Compliance in the Cloud
Jeff Reich, Chief Risk Officer
CRISC, CISSP, CHS-III, ISSA Distinguished Fellow
Kevin Van Mondfrans, Vice President of Product Management
COMPLYING TO THE HIGHER STANDARD
Introduction
When it comes to compliance, businesses both big and small will likely agree: frankly, it’s
a pain. Unlike security, in which IT departments may feel more concerned and passionate
about protecting users and information, meeting regulatory compliance is simply a requirement. But not only is it a requirement, it’s one that comes with all types of confusing rules and
guidelines.
Compliance runs the gamut, from government regulations such as Sarbanes-Oxley (SOX) and
the Federal Information Security Management Act (FISMA) to industry regulations such as PCI
DSS for payment processing and HIPAA for healthcare. Add cloud computing to the mix, and
that takes compliance to a whole new puzzling – and in turn, time-consuming and expensive
– level. And with the cost of a data breach being $214/record1, there’s really no room for error.
This leaves many companies facing a common problem: how do we reap the benefits of the
Cloud without running into the problems associated with compliance and security? In this
white paper, you’ll learn about the potential risks associated with cloud computing, what
options exist to secure a cloud, and how you can ensure both security and compliance in the
simplest, most cost-effective way possible.
Taking the Leap:
Drivers and Dangers of Cloud Computing
By now, many businesses are finding cloud computing a necessity, and as a result, cloud
adoption in North America is showing a 48% year-over-year growth rate.2 According to IDG,
92% of enterprise IT decision makers rank the Cloud as a priority for the next 18 months, with
almost one in four calling it a “critical” priority.3 Another report published by Forrester forecasts the global market for cloud computing to grow from $40.7 billion in 2011 to more than
$241 billion in 2020.4
Clearly, companies are starting to realize the benefits of moving to the Cloud due to a number of major drivers. The primary reasons companies migrate to a cloud computing environment, reports Forrester, include wanting to improve business agility (72%), focus resources
on more important projects (66%), and improve speed of implementation and deployment
(64%).5
The benefits of cloud computing are many, but so is the potential for risk. The first danger
is simply approaching cloud computing on the wrong foot altogether. If a company’s main
objective is to reduce cost, then it needs to make sure that a cloud solution meets its return
on investment (ROI) expectations. You don’t want to end up in a Cloud that ends up costing
more than you had planned for, whether those costs come from security risks or from the
time and money it takes to manage your Cloud and its security infrastructure.
1
“Cost of data breach climbs higher,” Dr. Ponemon’s blog/
Ponemon Institute, March 2011.
2
Gartner, 2012.
3
4
5
IDG 2012 Global Cloud Computing Survey.
“Sizing the Cloud,” Forrester Research, April 2011.
“The Changing Cloud Agenda,” Forrester Research, April 2012.
Just as importantly, there’s the concern about security and regulatory noncompliance. In
certain cases, a business may simply have no idea how to approach compliance, or how to
protect data from a breach (including external hacks and internal threats). If a company is
required to protect certain data, it needs to understand exactly how to do that and have
knowledge of specific encryption and authentication standards that this level of compliance
requires. Alternately, a business may have this understanding with an internal set of controls
in place for their physical infrastructure, but when their applications move to a cloud platform, those processes end up moving out of their hands into those of an outsourced cloud
provider.
Despite these overarching concerns, however, companies are
warming up to the Cloud, seeing that the benefits, in most cases,
outweigh the risks. According to a 2012 survey, companies are
increasingly finding cloud computing to be more trustworthy,
with 50% of respondents stating they were confident that cloud
solutions are viable for mission-critical business applications.7
Don’t look at me...
According to a survey conducted by the Ponemon
Institute, 69% of cloud service providers don’t
believe security is their responsibility, and 91% do
6
Businesses that are ready to start their journey to the Cloud
must then decide which is the safer—and smarter—option:
do it in-house or outsource to a service provider?
not provide security as a service from the Cloud.
Why DIY Doesn’t Always Make Sense
A company’s first instinct will likely be to build its own private Cloud. This do-it-yourself
approach may have made sense back when cloud computing was used solely for testing and
development, but for businesses looking to support more critical production environments,
the task of building a secure and compliant Cloud internally requires a substantial amount of
time, money, and resources.
Companies considering the do-it-yourself route need to make the following considerations:
• Invest in owning and managing your own data center. In order to build an internal
Cloud, a business would first need a physical data center to house the foundation for its
cloud computing environment. You would not only need to invest in data center technologies such as servers, switches, firewalls, load balancers, storage appliances and more,
but also for the cost of owning or renting the physical space. In addition to such capital
expenditures, there are also the operational expenditures of managing and securing the
data center as well.
• Hire security and compliance experts who can stay on top of every patch on every version of every operating system. The challenge with this task is that such experts are not
cheap and their very specialized skills are often not scalable. Plus, if security and compli-
6
7
“Security of Cloud Computing Providers Study,” Ponemon Institute, April 2011.
http://finance.yahoo.com/news/2012-future-cloud-computing-survey-213200299.html
ance are an employee’s main responsibilities, it probably wouldn’t be in a company’s best
interest to have them working on other tasks that may take their attention away from
their primary responsibility of ensuring security and compliance.
• Maintain compliance daily through log reviews, change
reviews, vulnerability scans and pre-audits. To really ensure
security and compliance, you need to have full 24x7 management of what can often turn out to be a complex data
center environment, which can be costly.
Companies have the choice to invest in doing the above, but
many often find they’re spending more money to manage IT
infrastructure, security, and compliance versus innovation and
driving forward. Thus, control can be a double-edged sword:
It gives you more visibility, but comes with management overhead.
For companies that want to maintain focus on their core business, going the cloud service provider route makes more economic sense. And with rising competition between providers,
you don’t have to worry about giving up visibility and control.
The key is finding the right cloud provider that offers both
security and economic benefit, as well as vertical expertise that
is relevant to your business.
Compliance: It’s no small matter
A 2011 survey conducted by Compliance Week
and PwC reveals that 48% of senior-level compliance officers felt that the likelihood their company
would experience a compliance risk within the
next 18 months was “high or very high.” And 65%
stated the potential impact of a compliance risk
8
being also “high or very high.”
If you choose to build a secure, compliant Cloud
with internal resources, the most critical requirement is that you have a firm understanding of
the laws, regulations, and industry standards that
apply to your business. Unfortunately, even with a
dedicated compliance team, this isn’t always easy.
Finding a Cloud You Can Trust: 5 Questions to Ask Providers
When companies begin their search for a cloud partner, they want one that can offer the safest, most reliable place to run demanding production workloads, but just as importantly, they
need a relationship that makes good economic sense.
There are a plethora of cloud providers on the market offering robust solutions that promise
security and compliance. The challenge is finding the one that meets both your business and
security needs, with expertise in your particular industry.
Here are five questions to ask cloud providers during your vendor evaluation process:
1. How does your secure environment maintain all the business value and benefits promised by the Cloud?
The key business value that will come out of cloud computing is innovation, whether
that relates to business, IT, or developer innovation. In order to enable your company to
truly innovate, a cloud provider should be able to outline exactly how this is achieved,
including alignment between IT investment and business ROI. Having a number of cloud
8
“Broader perspectives; higher performance. State of Compliance: 2011 Study,” PwC and Compliance Week, May 2011.
options (public, hybrid, or private) to choose from further helps ensure the level of security and compliance you need in a model that’s most appropriate for your business.
2. Do you offer the proper and complete set of security tools and management capabilities to meet industry standards (such as PCI, HIPAA or FISMA) that will ensure my compliance? If so, how?
You’ll want a provider with vertical expertise that knows your industry’s unique requirements and regulations, but also one that has the tools and practices to back that up. The
provider should offer multi-layered defense, including stateful firewalls, as well as realtime vulnerability and intrusion detection monitoring and reporting. Even better, some
may already have HIPAA, FISMA or PCI compliance-ready configurations and full IT management capabilities to further ease the process.
3. Are your operations completely transparent? Can I see what you see?
Just because you’re handing over control of your Cloud, doesn’t mean you should be
completely out of the loop. You should be able to see exactly what your cloud provider is
doing in your environment, and this includes having access to monthly, weekly, or daily
reports that detail everything from user rights, changes, and scans to monitors and logs. If
a provider can’t give you that visibility, then they’re one you’ll want to pass by.
4. Can you assist in an audit, and if so, to what degree?
You’ll need support with both Qualified Security Assessor (QSA) audits and pre-sales
assessments to validate IT infrastructure security. Look for a provider that offers the fullscale assistance you need, including forming questionnaire responses, providing sample
data, and participating in QSA interviews face to face or via teleconference.
5. How long have you been validated as a Level 1 and/or regulatory committee certified
vendor?
In a field as complex as compliance, experience counts. So does the ability to prove it.
Ask your potential provider for copies of current and past letters documenting they have
been validated by a QSA for Level 1 service provider compliance with PCI DSS. The same
should be done for other industry and federal regulations as well. The longer the provider
has been performing audits, the better hands you’ll likely be in.
Key Requirements for a Secure and Compliant Cloud
Technology: Simply implementing leading-edge technology and access controls is not enough. A cloud provider should have a thorough understanding of the technology including how to set a Cloud up, build a secure
network, continually maintain the environment, and protect data so that it’s running at optimal performance.
Strong operations: From patch management and change management, to vulnerability management, you
need to have a cloud provider that has a number of security and cloud processes in place to prove that they are
operationally strong. They should also have a firm set of information security policies with robust monitoring
and testing capabilities for network and security.
Visibility: Many cloud providers will likely offer a cloud portal, but you’ll want one that goes beyond simple
provisioning capabilities. Instead, you should look for a portal that’s designed for both test and development, as
well as production staff. This portal should offer visibility to log data and risk information, such as file integrity
and vulnerability scans as well. Look for a provider that gives you true visibility, along with elasticity and management tools.
Recognition and application of use cases: You don’t want to work with a vendor who doesn’t understand your
core business and key requirements. Make sure they can reference a customer they’ve worked with that is in
your industry vertical to prove they have the knowledge and capabilities to deliver what you need.
Keeping the Business Focus on Innovation
It’s important to realize that security and compliance is not a one-time audit event at the end
of the year; rather, it’s a non-stop job that must be tended to continuously. And when your
mission-critical e-business applications are on the line, you don’t want to take any risks.
As the global leader in providing compliant managed services, cloud hosting solutions, and
dedicated server hosting, Layered Tech offers companies a 100% compliance guarantee with
an innovative suite of secure eBusiness Cloud services. From customized and hybrid cloud
solutions to fully virtualized cloud data center solutions, Layered Tech delivers:
• Greater business agility. Your competitors are moving fast, and you need to move faster.
When you need to upgrade your web apps or roll out a last-minute promotion, you need
the resources to rapidly deploy additional compute resources. With our cloud solutions,
you can cloud burst to gain extra resources when needed.
• Secure and compliant environment. Our flexible cloud solutions are expressly designed
with compliance in mind. Layered Tech delivers fully managed enterprise security with
multi-layered defense, and a tiered networking model for secure isolation of app tiers, as
well as HIPAA and PCI compliance-ready configurations.
• Seamless migration. We help you migrate application tiers with network isolation of
VLANs and firewalls, making migration to production faster and easier.
• Flexible engagement model. Just because you’re moving an application to the Cloud
doesn’t mean that you need to do it all at once. We give you the flexibility to migrate as
you choose—whether that’s launching new elements of an app in the Cloud, while continuing to utilize existing physical databases for older elements. Or bursting to cloud servers to gain additional resources as necessary.
• Superior performance and availability. Our robust cloud platform is built using best-of
breed technologies (VMware, Citrix, and Cisco) to offer extreme scalability, efficiency, and
security. Cloud load balancers enable rapid scaling up or out with available resources,
while advanced virtualization and workload management and automation ensure service
quality.
Why choose Layered Tech?
At Layered Tech, we don’t just enable compliance—we actively manage compliant IT environments. As a recognized leader in secure and compliant hosting, we are:
• The first hosting provider in the world to meet VISA CISP security standards for managed
services
• Trusted with direct connectivity into three major credit cards’ networks
• An established auditing entity, with ongoing relationship with QSAs
• An active participant in the PCI Security Standards Council
• Included in Gartner’s 2012 Magic Quadrant for Managed Hosting and Cloud
Conclusion
For most businesses today, it’s no longer a question of whether to move to the Cloud or not;
rather it’s a question of how to make the move. And with security being a top challenge in
regards to implementing cloud computing9, the way you approach the cloud transition will
undoubtedly be a critical one.
Many companies may instinctively want to build a Cloud internally to maintain control over
their environment. But they often fall into the trap of spending more money to manage IT
infrastructure, security, and compliance than on the innovation that will differentiate their
business. To ensure security and compliance, turning to a cloud service provider presents a
compelling alternative that simplifies the ongoing process of protecting a cloud computing
environment.
However, for companies running demanding – and highly sensitive – production workloads,
not just any cloud provider will do. Companies need to thoroughly vet each vendor and make
sure they offer the deep security and compliance management capabilities required to support mission-critical e-business applications.
For companies concerned about compliance and security in the Cloud: Stop looking where it
doesn’t exist. And instead turn to a trusted source where it does exist—turn to Layered Tech.
Visit www.layeredtech.com to learn more.
COMPLYING TO THE HIGHER STANDARD
www.layeredtech.com • 1-888-952-4888 • [email protected]
9
“2012 Cloud Computing: Key Trends and Future Effects,” IDG Enterprise, 2012
© 2012 Layered Technologies, Inc. All rights reserved. All trademarks and registered trademarks are the property of their respective owners.