Considering Compliance in the Cloud

Gates Marshall is Director of Cyber Services at CompliancePoint. He has many years of experience in information security consulting with expertise across secure architectural design, vulnerability and penetration testing, OWASP, forensics, incident response, GDPR, FISMA, MARS-E, and cryptographic control design and implementation.

OPAQ: What exactly do we mean these days by “cloud compliance” versus other security and compliance topics?

GM: In some respects, there is not a big difference between on-premise and the cloud. HIPAA or PCI standards don’t make special exceptions for the cloud. The rules apply the same everywhere. There are also some cloud-specific compliance solutions out there like CloudeAssurance or CSA Star Certification, which allow organizations to achieve a quantifiable rating on compliance. Yet for a lot of things, being compliant in the cloud is not much different than having a data center somewhere or a colocation provider.

A significant problem is that when people sign on with a cloud service provider (CSP), they sometimes think they are outsourcing the due diligence aspect of compliance. Google, Microsoft and Amazon have a number of certifications, but these are to certify their own services. They are not certifying that their merchants and other customers are compliant in any specific client-level implementation.

OPAQ: There are some differences, though, right?

GM: The way you can configure systems in the cloud is different than a traditional on-premise installation. For instance, take PCI DSS, which is a fairly prescriptive standard for merchants. It calls for having a separate demilitarization (DMZ) zone from your LAN to isolate and protect credit card data with a firewall. CSPs may support other mechanisms, like AWS security groups, to facilitate a similar functionality; however doing so still doesn’t meet all of the compliance requirements for a DMZ.  So organizations are using these new cloud services, but they are missing some of the requirements as relates to architecture controls and/or logical segmentation.

OPAQ: How would you describe the level of security and compliance support at the major cloud providers?

GM: They do quite a bit to reduce the burden of compliance. Most of them produce good documentation to declare what we call a service provider controls responsibility matrix.  It shows what the provider is doing around compliance and that helps because it both reduces the burden on the customer and declares where the customer’s remaining responsibilities begin. Security at the large CSPs has improved a lot, for instance with services like Amazon CloudWatch for monitoring. All the major providers now have good auditing capabilities for the management interface and offer multifactor authentication. These developments give customers more confidence in the cloud.

OPAQ: Is security protection in the cloud as good as or better than an enterprise on-premise environment?

GM: We tend to have an affinity toward legacy configurations in the on-premise world.  By that, meaning we set it up and it works and we never change it. It’s security via obscurity. When you go through the transformation process to become a cloud-first organization, you need to fix all those legacy issues that were acceptable in the LAN environment. You can’t be so sloppy. Cloud providers may be less secure than on premise, however, because you’re letting someone else manage the Layer 1 infrastructure. The physical addressing and networking and storage configurations now fall on the CSP. They may have weaknesses that you don’t know about and the customer has to depend on third-party attestations. Hypervisor hopping has been a concern for a while. If a CSP’s hypervisor technology has a flaw, a malicious actor could jump between different customers’ VM guests through the hypervisor. There aren’t any disclosed examples of this happening, but it’s always a risk in a multi-tenant environment.

OPAQ: Yet most if not all of the massive breaches in recent years have been in on-premise environments, right?

GM: While this is true, many of these breaches could have taken place in the cloud. Equifax had a real problem with inventory because they didn’t have visibility into the software that should have been patched. That scenario could have also occurred with a CSP. Vulnerability management is critical in any implementation. Accenture did have an issue in the cloud recently, which could have been disastrous. In October, it was discovered that the global consulting firm had left an AWS S3 storage location unsecured, leaving over 100GB  of customer data accessible without authentication by anyone on the Internet with the correct S3 URL.  The insecure configuration of Amazon S3 could also apply to on-premise technologies.  No matter where your data sits, IT needs to secure the location against exploitable configurations and software flaws.

OPAQ: Do you foresee more regulation in the area of cloud compliance and security?

GM: Yes. The EU’s General Data Protection Regulation (GDPR) has huge potential to change a lot of things in tech. It goes into enforcement in 2018, and may become a global standard for privacy. GDPR applies to any organization that uses the data of people who are in the EU at the time of data collection. Two key principles of GDPR are that companies and organizations should use data minimization to keep the smallest amount of data possible and use consent mechanisms to ensure they’re authorized to hold or use that data. If you have 10 million customer records, but determine that you only need to keep two million records and purge the rest, your risks go down. If a breach occurs, there is less data loss and lower costs to mitigate the impacts of the loss. Information privacy is the next frontier. The large CSPs realize that if they don’t get in front of this, they will lose business. This will require that CSPs look closely at the leading cyber risk rating mechanisms, and adopt one or two of them. I think we’ll also see more CSPs provide guidance on how to meet global data security and privacy requirements in an effort to help customers help themselves.