Is your cloud data as secure as your provider would have you believe? Since this issue of security is key, we look at the myth and reality of compliance.
Whether you are a part of the IT industry or not, you have probably seen the Equifax headlines. Hackers absconded with data related to 143 million individuals, including addresses, birthdates, and Social Security numbers. In other words, a population equivalent to 44% of US citizens just had their identities stolen from one of the three major credit bureaus.
Several executives resigned, but the fallout remains. As with other massive exploits of IT infrastructures in the last few years, there was a tool in place that was not properly secured. The IT team had failed to update and patch Apache Struts, which the organization was using to power a system that allowed people to make disputes of the agency’s records – an open window through which the attackers were able to get full access to the site’s data.
Note that this was a breach of an on-premise, legacy corporate data center – not the cloud. However, in a climate in which these types of large-scale breaches are becoming increasingly common, it makes sense that people are interested in determining the extent to which cloud data is as secure as cloud service providers (CSPs) would have them believe.
Since this issue of security is really the center of compliance, when we look at the myth and reality of compliance concerns in cloud and virtualized environments, what we are really discussing is the myth of a lack of security and the reality of an environment that is well-suited for data protection with the right safeguards in place. There is one other myth that should be addressed too, though – that the regulators are against cloud computing. Let’s look at these two key concerns related to incorporating the cloud into your business while still maintaining compliance with standards and regulations.
Myth #1: Your data center beats cloud on security
This myth is a strong one that has been around since the beginning. It has really been the fundamental argument against cloud – so let’s throw everything we have at this myth. Here are some thoughts from heavy-hitters on the topic:
New York Times deputy tech editor Quentin Hardy noted that cloud data is likely protected by a higher degree of security than data is that is stored in a traditional data center setting. Hardy noted that some of the most highly skilled computer scientists in the world are working to make these systems virtually impenetrable.
In his argument for the security of cloud in TechTarget, David Linthicum talks about his frustration with a group of people he calls “the folded arms gang” — those who feel that cloud computing does not have the mechanisms in place to create a truly secure or compliant setting. While the folded arms gang would say that you need to be very cautious about anything that you put onto a cloud server, Linthicum might say that you should be even more cautious about anything that you put onto your own servers. In fact, Linthicum reported that his own assessment of traditional and cloud ecosystems had revealed the latter to have better security than the former.
Gartner is perhaps the most devastating news to those who want to cling to the notion that cloud is not secure enough to meet compliance specifications. “[T]he security posture of major cloud providers is as good as or better than most enterprise data centers and security should no longer be considered a primary inhibitor to the adoption of public cloud services,” he said. In other words, a cloud that is built credibly and with the most robust, cutting-edge tools is more compliance ready than a legacy data center. This perspective is research-based: the analyst found that the number of breaches that are experienced by infrastructure-as-a-service (IaaS) systems (i.e. public cloud servers) will be at least 60% lower than the number that hits legacy environments by 2020. To look at it the other way, by that year, Gartner thinks that data centers will be at least 150% more vulnerable than cloud. Now that is saying something.
If you need any more convincing related to cloud security, you can talk with Dr. John L. Miller, who has a PhD in distributed systems, or security software firm Tripwire’s 4 reasons why cloud outdoes legacy on security (perimeters and surveillance; expertise; auditing; and controlled access).
Myth #2: The regulators hate cloud
Both standards bodies and the federal government have become increasingly aware that it is wrong-headed to treat cloud as some kind of fundamentally flawed technology simply because of the manner of its virtualized design. For instance, the PCI Security Standards Council has issued Cloud Computing Guidelines.
It has drawn more attention, though, that the federal Department of Health and Human Services has released Guidance on HIPAA & Cloud Computing – relevant to healthcare organizations and any of their service partners that process or otherwise handle electronic protected health information (ePHI). Those parameters are particularly interesting because they represent an acceptance that, with the right safeguards in place, cloud is equipped to meet the strict privacy and security requirements of federal law.
The HHS instructions note that cloud is considered an acceptable means with which to protect this extremely sensitive, legally protected data – so long as the firm that is working with the cloud provider has signed a business associate agreement with them. The HSS specifically points out that public, private, and hybrid clouds are all acceptable – provided that HIPAA compliance standards are met.
Myth #3: Cloud compliance is easy
Regardless of how secure a cloud environment is, compliance is still understood as a dual responsibility between the cloud service provider and the regulated company. The PCI guidelines state that “[c]lear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement.” This language is similar to the notion of a business associate agreement (BAA) under the HHS advice. These agreements may seem to merely be “pieces of paper,” but they are essential to understanding and delineating roles and responsibilities. The HHS even mentions a case in which a HIPAA covered entity had stored the ePHI of more than 3000 people on a cloud server without a BAA in place –resulting in a resolution agreement and corrective action plan.
Myth #4: Virtualization is an enemy of compliance
Clouds are virtual machines, but what about virtual machines that are created in a legacy environment? You can be fully compliant provided you meet the specific needs of a virtual environment – as detailed by the PCI DSS Virtualization Guidelines.
For example, it is important to pay special attention to the hypervisor, since it is an attack surface that is unique to virtualization. You should also be careful about mixing virtual machines with different trust levels, since an intruder could use ones with lower security controls to get to ones with more sensitive data. Precautions are necessary specific to a virtual environment, but it certainly can meet the needs of all the major standards and regulations just as well as a physical setting can.
Myth #5: Compliance is easy
Sorry, but the truth is that compliance is complex. It is important to carefully vet all providers you use to help you protect compliant data. It is also critical to make sure that appropriate safeguards are in place to protect data, such as encryption and backup, along with a clear understanding of processes, responsibilities, and accountability.
With that in mind, you can certainly move forward with cloud. Just take the example of ShareSafe Solutions. Having initially rolled out a few test cloud servers for its HIPAA-compliant data, the organization is now deploying a nationwide cloud infrastructure to improve its redundancy and further protect against outages and attacks.
In other words, cloud is being used today in compliant settings to improve security – agreeing with the notion from thought leaders that this technology is game-ready for any organization.