During a recent customer visit, an intriguing ques tion was posed during a datacenter automation demonstration: “How exactly does compliance fit into the world of cloud computing?” One would expect that such a question could draw a short and simple response, yet there are so many variables that play into definition of the word “compliance”. As a Senior Solutions Consultant for BMC Software, I’ve worked with a wide variety of organizations that have different pending compliance requirements and issues. Compliance, from regulatory to operational, has a different context and level of significance in each organization. When posed with the discussion of cloud computing and compliance issues, a host of questions result.
One question that is always asked though is, “What exactly are you trying to achieve with cloud computing?” The responses that result help to define the compliance requirements for that organization. If the cloud is being utilized for additional elastic computing capacity for front-end web application servers, Payment Card Industry (PCI), HIPAA, and Sarbanes-Oxley (SOX) compliance potentially come to the fold, alongside of operational compliance such as Center for Internet Security (CIS). Furthermore, if a compliance process is not clearly defined for an organization, regulatory compliance provides best practices that may not easily be applied to the cloud due to a lack of visibility into infrastructure level resources. Firewalls fill a basic functional security requirement, however not every cloud computing provider can easily articulate multi-tenancy issues when providing a firewall service. Log management also serves as a key requirement, however most infrastructure providers leave such levels of offerings up to the end consumers to figure out.
One area that is casually looked over is maintaining compliance of the systems themselves. Maintenance of a configuration management process in the context of compliance is key to ensuring that all systems, regardless of whether they are housed internally or in an external cloud provider, are compliant to an organization’s compliance policies. A simple approach to the concept is assuming that a building’s walls are strong enough, the building should be able to withstand attack without multiple additional layers of security. Maintaining a strong, secure baseline for all applications and systems is required. Virtualization machine images play a key role in cloud computing provisioning. These images cannot simply be off-the-shelf; they must have gone through a security hardening process to ensure the core operating system and applications have been vetted, and secured in a manner that minimizes security exposure and risk. Rapid provisioning of machine instances creates issues of virtualization sprawl, thereby potentially increasing attack exposure if the core machine image has not been properly hardened.
Keep the foundation secure, and you’ll keep your enterprise secure.