Happy Wednesday Everyone,
An interesting question came up in an industry group around Cloud Computing that I would like to pose to this team:
Services over the internet is not a new concept - companies like Electronic Arts, Music Match and others have been serving up content and collecting sensitive data using 3rd party hosting solutions for years. The biggest difference with the Cloud Model is the dynamic nature of the resources (ie, expanding and contracting to meet the capacity demand) and technologies employed such as virtualization (servers, desktops, applications).
- What implications or enhancements have you had to make to your Audit and Control to adjust/adhere to using these dynamic features (whether off premise or on premise)?
- What do you think needs to happen in the industry to enable embracing some of these newer functions like Vmotion or IAAS?
- What solutions have you tried or adaptations did you need to make to pass either SAS70 Audit (off premise cloud) or internal Audit?
Some examples that come to mind - We have several customers that use Amazon AWS (EC2 and S3) in a hybrid model to adhere to regulatory compliance (HIPAA, FDCC, Children's Online Privacy Acts). For the hybrid model - they use the AWS infrastructure to serve up requests from end users so they do not have to login or do not have too many people hitting the primary data base at a given time. The requests are tunnelled through a reverse proxy that talks through the DMZ into the Datacenter to a Database that has all the "protected" data. This method allowed them to pass audit because a) They had a way to know who accessed what information (audit trail) based on the reverse proxy connection b)The data was encrypted in transport and static in the datacenter on a dedicated database - it could be discovered, checked for tampering and ensure that the patches etc for that specific box were taken care of.
Another example was a discussion I had with a CLevel executive. They use on premise clouds - except for regulated applications. In their case they keep all the highly regulated applications on a dedicated 6 ESX hosts. VMotion, etc is only used with change orders for patching and backup (not on demand) to so there are no out of band changes. They carefully monitor patch levels and layers of these specific hosts - so in the event they have to employ Vmotion they can show/prove appropriate patch levels of the host OS and security measures. Other non-regulated applications are not monitored as closely and can take full advantage of the cloud environment.
It would be great to hear more from the group on what you have done, how you leverage your systems management tools in an on premise or off premise implementation, and your answers to the above questions.