Matt Jezorek

When one thinks of cloud computing they think of the benefits that are touted all over the marketing material, Reduced Cost, Increased Storage, Highly Automated, Flexibility, More Mobility, and allows IT to shift focus, yet the word security barely crosses the lips of cloud providers. While the cloud computing industry is growing rapidly the risk profile expands as well. The items that have me worried on cloud computing are Compliance, Data Location, Privileged User Access, Data Segregation and Forensic Support.

Compliance is a big one, with companies required to be PCI DSS, HIPAA, and even state laws like the Massachusetts 201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth that can seem to “get in the way of forward progress” can all cause issues in the cloud. PCI compliance can be reached in the cloud if you do not store credit card information or transmit it to the cloud, this will allow you to remove your cloud from scope. If you have a business requirement to store credit card information you must minimally gain level 2 compliance. Can we gain compliance in the cloud for PCI?

If we look at PCI 12.8.2 it states “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” PCI defines a service provider as “entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers…” I don’t think a many if any of the current cloud companies will provide this guarantee.

What about data location? Do you know what country yet alone what area your data is stored in? What about local compliance does your cloud provider ensure that local compliance is achieved. What about physical access to these datacenters that your data is stored in. I bet if everyone was to honestly look around the company they are working at they will find some “misrepresentations” of security policy and practices, this means they also exist at these data centers. With social engineering being an attack that is very successful the majority of the time we should stick data location in to our risk analysis when we are looking at cloud computing.

Do you know who the cloud companies are hiring from the top down? Can you be sure that Privileged user access is not a concern? By pushing applications out to the cloud we bypass the physical, logical and personal controls that we rigorously defend on in-house security programs. We know who has access and what level of access, more importantly we can audit this, but we will not know or control this when the cloud is in play. Currently, you know who the administrators are or the ones that have extended privileges but what about at one of these cloud companies, are you sure the password policy is in play and that they do not walk away with unlocked computers and other risky behaviors?

Data Segregation is important to me as well, I want credit card holder information not mixed in with other data but segregated so that I can keep a closer eye on it. I want to be able to verify that it is safe, encrypted and stored in a sensible manor, but in the cloud your data is in a shared environment mixed in with data from other customers. Yes, I know you are saying it’s in my virtual environment not in the environment of my neighbors and this is fine and good but naïve, with backup software now able to open VMDK’s (VMWare Disk Images) and extract data there is a good chance that malware developers and black hats have come up with methods of doing this too, this could be done without you knowing. Your host based IDS solution would not have a clue, but will the provider? That is a good question and one that could require answering; just not one I can answer at this point however I am looking at it because of my virtual environment.

What about Forensic Support? Logs and data may be spread out across multiple hosts and multiple data centers making a collection of required logs hard to accumulate in a reasonable fashion. What about the retention policy on these logs will they even be there when you notice the breach? The other concern is you will not be able to come into the infrastructure and do the forensics yourself so is the vendor qualified and supported the activities before? If not then you have to assume that investigation will be impossible.

These are some of my concerns around cloud computing and as the business side keeps pushing for lower cost alternatives and listening to buzz words we have to start thinking about securing our assets outside our own little protective bubble.