> White Paper Riders on the Storm Cloud: How to Reduce Risk and Ensure Compliance in the Cloud Jeff Reich, Chief Risk Officer CRISC, CISSP, CHS-III, ISSA Distinguished Fellow Kevin Van Mondfrans, Vice President of Product Management COMPLYING TO THE HIGHER STANDARD Introduction When it comes to compliance, businesses both big and small will likely agree: frankly, it’s a pain. Unlike security, in which IT departments may feel more concerned and passionate about protecting users and information, meeting regulatory compliance is simply a requirement. But not only is it a requirement, it’s one that comes with all types of confusing rules and guidelines. Compliance runs the gamut, from government regulations such as Sarbanes-Oxley (SOX) and the Federal Information Security Management Act (FISMA) to industry regulations such as PCI DSS for payment processing and HIPAA for healthcare. Add cloud computing to the mix, and that takes compliance to a whole new puzzling – and in turn, time-consuming and expensive – level. And with the cost of a data breach being $214/record1, there’s really no room for error. This leaves many companies facing a common problem: how do we reap the benefits of the Cloud without running into the problems associated with compliance and security? In this white paper, you’ll learn about the potential risks associated with cloud computing, what options exist to secure a cloud, and how you can ensure both security and compliance in the simplest, most cost-effective way possible. Taking the Leap: Drivers and Dangers of Cloud Computing By now, many businesses are finding cloud computing a necessity, and as a result, cloud adoption in North America is showing a 48% year-over-year growth rate.2 According to IDG, 92% of enterprise IT decision makers rank the Cloud as a priority for the next 18 months, with almost one in four calling it a “critical” priority.3 Another report published by Forrester forecasts the global market for cloud computing to grow from $40.7 billion in 2011 to more than $241 billion in 2020.4 Clearly, companies are starting to realize the benefits of moving to the Cloud due to a number of major drivers. The primary reasons companies migrate to a cloud computing environment, reports Forrester, include wanting to improve business agility (72%), focus resources on more important projects (66%), and improve speed of implementation and deployment (64%).5 The benefits of cloud computing are many, but so is the potential for risk. The first danger is simply approaching cloud computing on the wrong foot altogether. If a company’s main objective is to reduce cost, then it needs to make sure that a cloud solution meets its return on investment (ROI) expectations. You don’t want to end up in a Cloud that ends up costing more than you had planned for, whether those costs come from security risks or from the time and money it takes to manage your Cloud and its security infrastructure. 1 “Cost of data breach climbs higher,” Dr. Ponemon’s blog/ Ponemon Institute, March 2011. 2 Gartner, 2012. 3 4 5 IDG 2012 Global Cloud Computing Survey. “Sizing the Cloud,” Forrester Research, April 2011. “The Changing Cloud Agenda,” Forrester Research, April 2012. Just as importantly, there’s the concern about security and regulatory noncompliance. In certain cases, a business may simply have no idea how to approach compliance, or how to protect data from a breach (including external hacks and internal threats). If a company is required to protect certain data, it needs to understand exactly how to do that and have knowledge of specific encryption and authentication standards that this level of compliance requires. Alternately, a business may have this understanding with an internal set of controls in place for their physical infrastructure, but when their applications move to a cloud platform, those processes end up moving out of their hands into those of an outsourced cloud provider. Despite these overarching concerns, however, companies are warming up to the Cloud, seeing that the benefits, in most cases, outweigh the risks. According to a 2012 survey, companies are increasingly finding cloud computing to be more trustworthy, with 50% of respondents stating they were confident that cloud solutions are viable for mission-critical business applications.7 Don’t look at me... According to a survey conducted by the Ponemon Institute, 69% of cloud service providers don’t believe security is their responsibility, and 91% do 6 Businesses that are ready to start their journey to the Cloud must then decide which is the safer—and smarter—option: do it in-house or outsource to a service provider? not provide security as a service from the Cloud. Why DIY Doesn’t Always Make Sense A company’s first instinct will likely be to build its own private Cloud. This do-it-yourself approach may have made sense back when cloud computing was used solely for testing and development, but for businesses looking to support more critical production environments, the task of building a secure and compliant Cloud internally requires a substantial amount of time, money, and resources. Companies considering the do-it-yourself route need to make the following considerations: • Invest in owning and managing your own data center. In order to build an internal Cloud, a business would first need a physical data center to house the foundation for its cloud computing environment. You would not only need to invest in data center technologies such as servers, switches, firewalls, load balancers, storage appliances and more, but also for the cost of owning or renting the physical space. In addition to such capital expenditures, there are also the operational expenditures of managing and securing the data center as well. • Hire security and compliance experts who can stay on top of every patch on every version of every operating system. The challenge with this task is that such experts are not cheap and their very specialized skills are often not scalable. Plus, if security and compli- 6 7 “Security of Cloud Computing Providers Study,” Ponemon Institute, April 2011. http://finance.yahoo.com/news/2012-future-cloud-computing-survey-213200299.html ance are an employee’s main responsibilities, it probably wouldn’t be in a company’s best interest to have them working on other tasks that may take their attention away from their primary responsibility of ensuring security and compliance. • Maintain compliance daily through log reviews, change reviews, vulnerability scans and pre-audits. To really ensure security and compliance, you need to have full 24x7 management of what can often turn out to be a complex data center environment, which can be costly. Companies have the choice to invest in doing the above, but many often find they’re spending more money to manage IT infrastructure, security, and compliance versus innovation and driving forward. Thus, control can be a double-edged sword: It gives you more visibility, but comes with management overhead. For companies that want to maintain focus on their core business, going the cloud service provider route makes more economic sense. And with rising competition between providers, you don’t have to worry about giving up visibility and control. The key is finding the right cloud provider that offers both security and economic benefit, as well as vertical expertise that is relevant to your business. Compliance: It’s no small matter A 2011 survey conducted by Compliance Week and PwC reveals that 48% of senior-level compliance officers felt that the likelihood their company would experience a compliance risk within the next 18 months was “high or very high.” And 65% stated the potential impact of a compliance risk 8 being also “high or very high.” If you choose to build a secure, compliant Cloud with internal resources, the most critical requirement is that you have a firm understanding of the laws, regulations, and industry standards that apply to your business. Unfortunately, even with a dedicated compliance team, this isn’t always easy. Finding a Cloud You Can Trust: 5 Questions to Ask Providers When companies begin their search for a cloud partner, they want one that can offer the safest, most reliable place to run demanding production workloads, but just as importantly, they need a relationship that makes good economic sense. There are a plethora of cloud providers on the market offering robust solutions that promise security and compliance. The challenge is finding the one that meets both your business and security needs, with expertise in your particular industry. Here are five questions to ask cloud providers during your vendor evaluation process: 1. How does your secure environment maintain all the business value and benefits promised by the Cloud? The key business value that will come out of cloud computing is innovation, whether that relates to business, IT, or developer innovation. In order to enable your company to truly innovate, a cloud provider should be able to outline exactly how this is achieved, including alignment between IT investment and business ROI. Having a number of cloud 8 “Broader perspectives; higher performance. State of Compliance: 2011 Study,” PwC and Compliance Week, May 2011. options (public, hybrid, or private) to choose from further helps ensure the level of security and compliance you need in a model that’s most appropriate for your business. 2. Do you offer the proper and complete set of security tools and management capabilities to meet industry standards (such as PCI, HIPAA or FISMA) that will ensure my compliance? If so, how? You’ll want a provider with vertical expertise that knows your industry’s unique requirements and regulations, but also one that has the tools and practices to back that up. The provider should offer multi-layered defense, including stateful firewalls, as well as realtime vulnerability and intrusion detection monitoring and reporting. Even better, some may already have HIPAA, FISMA or PCI compliance-ready configurations and full IT management capabilities to further ease the process. 3. Are your operations completely transparent? Can I see what you see? Just because you’re handing over control of your Cloud, doesn’t mean you should be completely out of the loop. You should be able to see exactly what your cloud provider is doing in your environment, and this includes having access to monthly, weekly, or daily reports that detail everything from user rights, changes, and scans to monitors and logs. If a provider can’t give you that visibility, then they’re one you’ll want to pass by. 4. Can you assist in an audit, and if so, to what degree? You’ll need support with both Qualified Security Assessor (QSA) audits and pre-sales assessments to validate IT infrastructure security. Look for a provider that offers the fullscale assistance you need, including forming questionnaire responses, providing sample data, and participating in QSA interviews face to face or via teleconference. 5. How long have you been validated as a Level 1 and/or regulatory committee certified vendor? In a field as complex as compliance, experience counts. So does the ability to prove it. Ask your potential provider for copies of current and past letters documenting they have been validated by a QSA for Level 1 service provider compliance with PCI DSS. The same should be done for other industry and federal regulations as well. The longer the provider has been performing audits, the better hands you’ll likely be in. Key Requirements for a Secure and Compliant Cloud Technology: Simply implementing leading-edge technology and access controls is not enough. A cloud provider should have a thorough understanding of the technology including how to set a Cloud up, build a secure network, continually maintain the environment, and protect data so that it’s running at optimal performance. Strong operations: From patch management and change management, to vulnerability management, you need to have a cloud provider that has a number of security and cloud processes in place to prove that they are operationally strong. They should also have a firm set of information security policies with robust monitoring and testing capabilities for network and security. Visibility: Many cloud providers will likely offer a cloud portal, but you’ll want one that goes beyond simple provisioning capabilities. Instead, you should look for a portal that’s designed for both test and development, as well as production staff. This portal should offer visibility to log data and risk information, such as file integrity and vulnerability scans as well. Look for a provider that gives you true visibility, along with elasticity and management tools. Recognition and application of use cases: You don’t want to work with a vendor who doesn’t understand your core business and key requirements. Make sure they can reference a customer they’ve worked with that is in your industry vertical to prove they have the knowledge and capabilities to deliver what you need. Keeping the Business Focus on Innovation It’s important to realize that security and compliance is not a one-time audit event at the end of the year; rather, it’s a non-stop job that must be tended to continuously. And when your mission-critical e-business applications are on the line, you don’t want to take any risks. As the global leader in providing compliant managed services, cloud hosting solutions, and dedicated server hosting, Layered Tech offers companies a 100% compliance guarantee with an innovative suite of secure eBusiness Cloud services. From customized and hybrid cloud solutions to fully virtualized cloud data center solutions, Layered Tech delivers: • Greater business agility. Your competitors are moving fast, and you need to move faster. When you need to upgrade your web apps or roll out a last-minute promotion, you need the resources to rapidly deploy additional compute resources. With our cloud solutions, you can cloud burst to gain extra resources when needed. • Secure and compliant environment. Our flexible cloud solutions are expressly designed with compliance in mind. Layered Tech delivers fully managed enterprise security with multi-layered defense, and a tiered networking model for secure isolation of app tiers, as well as HIPAA and PCI compliance-ready configurations. • Seamless migration. We help you migrate application tiers with network isolation of VLANs and firewalls, making migration to production faster and easier. • Flexible engagement model. Just because you’re moving an application to the Cloud doesn’t mean that you need to do it all at once. We give you the flexibility to migrate as you choose—whether that’s launching new elements of an app in the Cloud, while continuing to utilize existing physical databases for older elements. Or bursting to cloud servers to gain additional resources as necessary. • Superior performance and availability. Our robust cloud platform is built using best-of breed technologies (VMware, Citrix, and Cisco) to offer extreme scalability, efficiency, and security. Cloud load balancers enable rapid scaling up or out with available resources, while advanced virtualization and workload management and automation ensure service quality. Why choose Layered Tech? At Layered Tech, we don’t just enable compliance—we actively manage compliant IT environments. As a recognized leader in secure and compliant hosting, we are: • The first hosting provider in the world to meet VISA CISP security standards for managed services • Trusted with direct connectivity into three major credit cards’ networks • An established auditing entity, with ongoing relationship with QSAs • An active participant in the PCI Security Standards Council • Included in Gartner’s 2012 Magic Quadrant for Managed Hosting and Cloud Conclusion For most businesses today, it’s no longer a question of whether to move to the Cloud or not; rather it’s a question of how to make the move. And with security being a top challenge in regards to implementing cloud computing9, the way you approach the cloud transition will undoubtedly be a critical one. Many companies may instinctively want to build a Cloud internally to maintain control over their environment. But they often fall into the trap of spending more money to manage IT infrastructure, security, and compliance than on the innovation that will differentiate their business. To ensure security and compliance, turning to a cloud service provider presents a compelling alternative that simplifies the ongoing process of protecting a cloud computing environment. However, for companies running demanding – and highly sensitive – production workloads, not just any cloud provider will do. Companies need to thoroughly vet each vendor and make sure they offer the deep security and compliance management capabilities required to support mission-critical e-business applications. For companies concerned about compliance and security in the Cloud: Stop looking where it doesn’t exist. And instead turn to a trusted source where it does exist—turn to Layered Tech. Visit www.layeredtech.com to learn more. COMPLYING TO THE HIGHER STANDARD www.layeredtech.com • 1-888-952-4888 • [email protected] 9 “2012 Cloud Computing: Key Trends and Future Effects,” IDG Enterprise, 2012 © 2012 Layered Technologies, Inc. All rights reserved. All trademarks and registered trademarks are the property of their respective owners.
© Copyright 2024