In-Depth

Cloud Visibility: Security Audit Demands for Your Cloud Vendor

The question isn't whether the cloud is secure, but whether your provider can show you what's behind the curtain.

• By Jeffrey Schwartz
• July 01, 2010

Security is the deal breaker for many organizations reluctant to move their enterprise applications and critical data into the cloud. A survey commissioned by Microsoft late last year of IT and business decision-makers found that 75 percent see security as a key risk associated with cloud computing. Some experts will argue, however, that many cloud services are more secure than the in-house enterprise systems where many apps now reside.

Even in scenarios where that is the case, running enterprise data in the cloud means there are certain controls that are not only out of IT's hands, but also aren't visible to administrators or other stakeholders. As such, storing data in the cloud poses certain risk and compliance questions that aren't easy to resolve.

Consider this: Do you know the credentials of those running the systems in cloud services or the ratio of technicians per server? Is it one for every 500 or 1,000 servers? Where is your data being hosted, and on how many different instances? When data is deleted, is it completely eliminated from all servers? How, when and where is it being backed up? What precautions are in place to ensure data on one virtual machine doesn't spill over onto another hypervisor? Your data may be encrypted, but how do you know someone working for your cloud provider hasn't figured a way to decrypt your data?

These are a few of the numerous questions that many cloud providers aren't necessarily answering completely -- or at the very least aren't consistently doing so, some experts warn.

"Not being able to have that visibility and that comfort level that your cloud provider is doing the things that are important to you from a security perspective is slowing down cloud adoption in the enterprise," argues Scott Sanchez, a Certified Information Systems Security Professional (CISSP) and director of the security portfolio at Unisys Corp.

"It's one thing for the provider to say, 'Trust us,'" Sanchez adds. "We let the client pull back the curtain; we let them see audit results; we let them talk to our security folks. Unless you're perhaps one of the top five or 10 clients Amazon has in their cloud, they're not going to give you any of that information. All you get is a little Web page that says, 'We take all the security precautions,' and, frankly, I know they do, as does Rackspace and all the other main cloud providers. But they don't want to tell the public about it; their clients are kind of left to guess."

The Creation of CloudAudit
It's an issue that for years has concerned Christopher Hoff, director of Cloud and Virtualization Solutions for Data Center Solutions at Cisco Systems Inc. That's why Hoff spearheaded an effort called CloudAudit that seeks to develop standards for how cloud providers release information to prospective and existing enterprise clients that can satisfy their compliance and internal governance requirements.

Major cloud providers -- including Amazon.com Inc., Google Inc., Microsoft, Unisys, Rackspace U.S. Inc. and others -- are among those participating in the group, Hoff says, but that doesn't necessarily mean that they're broadly committed to supporting the specs that are released at this point in time. Nevertheless, observers in CloudAudit, which is working closely with the Cloud Security Alliance (CSA), can potentially standardize the way information is shared by cloud providers.

"Cloud computing providers, especially the leading ones, are being overrun by requests for audit information because the level of abstraction that they provide -- by virtue of their service definition -- means in many cases the transparency and visibility decreases. [This] causes an even more-important need for these questions to be answered," Hoff says.

"As they're getting overrun, it sure would be great to have a standard way of answering those questions once, and answering them dynamically, inasmuch as supplying information that relates to these compliance frameworks and questions, and making those answers available in a secure way to duly authorized consumers of that information," Hoff adds. "That could be people looking to evaluate your service, the consumer, auditors, security teams; it could be regulators, or it could be your own operational staff, for that matter."

Finding Transparency in the Cloud

A Q&A with Computer Security Alliance founder and Executive Director Jim Reavis.

It's been more than a year since Jim Reavis founded the Cloud Security Alliance (CSA). Reavis, a consultant, has spent the past 20 years in the information-security field, and the CSA has quickly evolved as the prominent consortium focused on cloud security, with broad support from the IT industry.

In a recent interview, Reavis outlined the latest initiatives of the CSA -- notably efforts to bring better transparency around auditing, trust and compliance among cloud providers.

To what degree are audits, or lack thereof, a showstopper for cloud deployments?
It becomes an area that you've really got to focus on for any type of IT system that's going to have a significant amount of regulation. That tends to equate to: the data, what type of information you're trying to store in the cloud, and is that the type of information that's regulated? So that would include your customer information, personally identifiable information, credit cards and things like that. You can put information in the cloud, but it's definitely more work right now because all of the individual audits that are done tend to be done in their own specific way depending on who's doing that audit. It's a lot like law, and people rely on case history and standards and things like that. So until we have that, it becomes a challenge.

Is it a question of what the audit procedure is, or is it more what type of information the cloud providers disseminate?
The traditional notion is that people who are responsible for IT systems also have management control of it. The cloud basically changes that completely. With traditional outsourcing, there's some of that, but your IT systems are usually in a very specific, discreet place. But with the cloud you really don't have that visibility, so that creates issues with how you do an audit, where you go to get the specific questions answered and what are the right questions to ask. We're just trying to work with the industry to get us all speaking a common language that we can use.

How far apart would you say the providers and the rest of the industry are with regard to speaking that language?
The issue is, the traditional tools and frameworks that are being used don't necessarily capture all of the key issues that are necessary to look at for a cloud provider. I think we're going to make tremendous progress within the next year.

Are you referring to CloudAudit?
We're definitely involved in CloudAudit. We have several people participating and CloudAudit is essentially standardized on our Cloud Controls Matrix. Overall assurance and compliance require a lot of things, and if you look at the very specific things that CloudAudit is trying to do, they're definitely trying to automate and create some changes in how the audit practice works. I don't think Chris [Christopher Hoff, director of Cloud and Virtualization Solutions for Data Center Solutions at Cisco Systems Inc.] is going to completely reinvent the audit industry. There are a lot of things that work well, and it just needs to be scaled toward a different utility mode of computing.

What other efforts are there?
We've got our Cloud Controls Matrix, which we think is very important. It's a control framework that has 98 controls that we've had internal IT, risk management and assurance people inside of a lot of different groups -- Cisco, Dell, Cox Communications, a lot of others. Basically we've come up with 98 controls which we think represent a pretty comprehensive list of controls that are broken down by items provider control, consumer control or is this a control both of these parties in the relationship need to implement and then we map it to a lot of existing frameworks and regulations that people are already familiar with, for example PCI, ISO 27002, HIPAA, and COBIT. And so by mapping this to existing frameworks and standards, the idea is that it helps bridge the gap and it helps people who are not only the auditors but people in IT on the other side prepare and respond to audits that they can leverage their knowledge of existing practices and frameworks, to be able to put in compliance.

That's the whole thing: leverage what you know and take an incremental step, but the controls that we've come up with, this framework should look fairly familiar to people who have been involved in risk management, governance and compliance.

What problems will these controls address?
Basically it's allowing people to leverage knowledge that they already have and compliance programs that they already have and make them cloud-specific. [It will help] bridge that gap so they can apply their knowledge to the compliance issues they face in cloud computing, and it's going to change them from not understanding how to do it to being able to do that successfully and probably pretty rapidly. We're accelerating the industry's ability to be able to show compliance in the cloud.

Is this a set of best practices?
We released our set of best practices or guidance last year and this is derived from that. The version 2 of our best practices guidance was released in December and that's really widely used. Over 100,000 downloaded it and any large organization I talk to tells me that's what they are using for their strategy and architecture, but this is more specifically a controls framework. We're less concerned if it's going to be something that's going to be codified. This is all moving so quickly that we're trying to figure out what role traditional standards bodies have in cloud computing. We are trying to serve an intermediate step of providing useful best practices tools, frameworks that can be immediately used by both provider and customer. And how that evolves into standards we will let nature take its course.

Any sense on what levels of adoption these controls will get?
I'd say the credentials of the people in the organizations that developed this version 1 bodes pretty well for broad adoption. We already have the Cloud Audit group adopting as a controls framework, which is a good sign. I think it maps well to very popular standards, regulations and frameworks that are out there that is also something that's going to cause this to be pretty widely adopted.

Who do these apply to?
They are broken down to the providers or the customer or in some cases, both, in terms of who is responsible for implementing the control, in terms of from an audit perspective. I would imagine all of them apply to someone doing an audit to make sure everything has been covered but that's for an assessment perspective.

Microsoft's Active Directory Federation Services 2 is now shipping which promises to broaden the adoption of federated identity management and add another layer of cloud security. What's your take on that?
In our initial guidance of best practices, we looked at the identity management issues to a wide degree being a federation type issue. We announced the Trusted Cloud initiative at RSA, we released a white paper on that which is for secure interoperable identity management in the cloud. That's a program that will lead to certification, it's ongoing and v1 will be released in the fourth quarter. The issues as we see it, and what Microsoft is doing, are pretty well aligned. They are taking the types of steps that need to happen, so that you can have cloud providers be able to connect into the directories that enterprises have. We don’t want to reinvent the wheel. Microsoft has been an early corporate member and we happen to be very well aligned with Microsoft's view of claims based identity management, and the direction we think the industry needs to go.

Will Microsoft's approach to claims-based identity management map to Trusted Cloud?
It’s a work in progress but I believe it will. I think that claims based identity management and SAML is highlighted quite a bit in what we've done. Microsoft's philosophy on this and their vision on this has been publicly articulated. In my view if they are implementing what they have publicly articulated, while we don’t have our Trusted Cloud initiative completed, I am pretty certain what we are coming up with and the blueprint that we are providing for organizations will fit well with their services and the capabilities that Microsoft is offering.

How important is claims based identity management as it relates to the Trusted Cloud effort? Where does it rank?
Everything fits with compliance. If you don’t have a scalable repeatable way, if you’re an enterprise, to leverage your identity systems with the millions of SaaS applications that are out there, you're not going to have a foundation to be able to go into the cloud, because it's going to be a nightmare if you have to recreate user directories for these providers that could be pretty small. But if you are using a system of federated identity management that uses a claims model, you aren’t going to have to duplicate anything. I think its key, that’s why we re focusing on this and come up with a Trusted Certification, because organizations want to know they can leverage an asset they have already invested quite a bit and in a secure manor with a wide variety of providers, with a varying level of security maturity.

-- J.S.

CloudAudit uses the recently released CSA Cloud Controls Matrix, a framework that consists of 98 controls that specify how cloud providers should release detailed guidelines on how services are audited and risk is determined.

"This framework should look fairly familiar to people who've been involved in risk management, governance and compliance," says Jim Reavis, founder and executive director of the CSA.

The CloudAudit group is building a common API and name space, or directory, called the Automated Audit, Assertion, Assessment and Assurance API (A6) that lets cloud services providers disseminate audit-related data about their infrastructure, platform and application environments that customers can consume, according to Michael Versace, a CISSP and partner with the Wikibon Project.

"For example, if you want to subscribe to the Microsoft Windows Azure service or you want to become an Amazon EC2 customer, you'll want to see a SAS 70 [Statement on Auditing Standards No. 70] report from that vendor," Versace says. The type of cloud service you're subscribing to -- infrastructure, platform or application -- will affect the type of report you require.

"Compliance is the No. 1 driver in information security, and audits are the means to be able to achieve compliance," Reavis says. "It's a bigger issue than specific concerns about the cloud being risky, because we know that no type of IT system, no type of computer is impervious to being hacked."

Aiming for Transparency
Specifically, the CSA Cloud Controls Matrix consists of a cross-reference of some of the industry standards that are out there with regulations such as Control Objectives for Information and related Technology, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry spec for how credit-card payments are accepted in the cloud, and some of the key International Organization for Standardization auditing standards. It also consists of more granular controls, such as how firewalls are configured and how data is encrypted and backed up.

"We've translated that in terms of how we'd get the data," explains Doug Barbin, a director for SAS 70 Solutions Inc., a firm that conducts compliance audits for cloud providers.

The most common way that providers are sharing data with their customers is through audit reports, according to Barbin. Typically what happens is, if you've got a particular question from an existing or potential cloud provider, you have to read a document to find the answer to that question, assuming the provider has disclosed that information.

"The idea with CloudAudit was not to come up with a new set of standards, but to come up with another way that these companies can share this data so that the people who need it can get to it faster," Barbin says. "That could be prospects; that could be customers; that could be auditors. It could have a variety of use cases, but it's meant to alleviate the burden of having to sift through documentation to determine whether a services provider is providing a particular control."

Providing more transparency is critical to many organizations that are considering deploying data in the cloud, Versace says. "If their data is going to be living in the cloud or their applications are going to be living in the cloud, they want that environment to be as transparent as it can be," he says. "They need to understand who's using the data, how it's used, how service levels are being met."

Though the CloudAudit effort has been ongoing for a year, it has picked up steam since March, when the group started having weekly meetings. Still, it's in a formative stage, and in the coming months CloudAudit will start to raise its profile, adding more formality to the process. The version 1 spec is set to be released by July, Hoff says.

"CloudAudit is really not a legal entity in any way -- it's a standards development organization," Versace says. "It's a set of experts that have gathered around this idea that one of the missing links in the journey to the cloud is the ability to collect consistent data from an operations and an audit perspective from your cloud services provider, so you can make some basic risk-management decisions."

That said, CloudAudit is submitting version 1 of its spec to the Internet Engineering Task Force as a request for comment, and the group is now exploring how to formalize its efforts and expand upon its spec.

CEE Efforts
Meanwhile, CloudAudit is monitoring other industry activity as well. Versace points to the Common Event Expression (CEE) consortium, led by The Mitre Corp., which is looking to standardize how computer events are described, logged and exchanged.

"By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks," claims a posting on the Mitre Web site describing the effort. "Tasks including log correlation and aggregation, enterprise-wide log management, auditing and incident handling, which once required expensive, specialized analysts or equipment, can now be performed more efficiently and produce better results."

In addition to Mitre, among those participating in CEE are Microsoft, Novell and The Open Group, as well as tool vendors ArcSight Inc., Loggly Inc. and Tenable Network Security Inc.

"If the CEE effort is successful, potential benefits to Microsoft customers and partners would be enhanced capabilities of Microsoft products, such as products in the Forefront and System Center product lines, and easier integration between Microsoft products and third-party products, which consume event data," says Eric Fitzgerald, a senior program manager at Microsoft representing the company on the effort.

In tandem with the CEE are The Open Group's X/Open Distributed Audit Standard (XDAS) extensions. The XDAS effort aims to leverage the work of the Distributed Management Task Force (DMTF) Common Information Model (CIM), "which is already defined, for better or worse, all of those domain objects," of common events logged in audit streams, says David Corlette, The Open Group's security forum project leader and a product line lead for identity and security event management products at Novell Inc.

"There has not been much discussion around how the classic network security auditing is going to play in the cloud arena," says Corlette. The principals behind the CEE and XDAS will be fleshing out their efforts over the coming months, he adds.

It's been nearly six months since Microsoft made its Windows Azure cloud service available. The company claims 10,000 customers are now using Windows Azure in some form, presumably for development efforts and pilots. Yet with the new Microsoft mantra of "all-in" for the cloud, IT will no doubt have a vested interest in the future of CloudAudit and whether vendors contribute to the effort in providing more disclosure of how customer data is handled.

Microsoft is not commenting on its future plans, if any, for CloudAudit, but Joel Sider, a senior product manager identity and security, in a blog posting re-iterated Microsoft's support for compliance frameworks.