Will Private Cloud Security and Compliance Reach The Critical Masses? A Call to Arms. - Executive Viewpoint 2013 Prediction: RSA
As virtualization and cloud technologies have been universally introduced in our datacenters, there is a rising groundswell of opinions and strategies as to how security and compliance of cloud infrastructures can be addressed. The ultimate goal should be to deploy one framework that provides continuous controls, threat, vulnerability and risk monitoring for both your public and private infrastructures (as you will almost certainly have both), then rolls that combined information into one coherent set of views, workflows and audit reports (“there you go mister auditor, just click here for all the information you need, I’ll be having a.) a cocktail, b.) hang gliding lessons, c.) a nap”).
But we’re not there yet and I’d like to primarily focus on security and compliance for private infrastructures, as we have to start somewhere. We are definitely seeing the effects of not having broad availability and acceptance of even some of the most fundamental components of such a framework, and that is the general hesitance towards virtualization of critical applications, let alone moving them to the public cloud. There are two main exceptions to this (non) trend; the first being organizations that have the luxury of a large, highly competent security team that can build and manage their own framework. Such companies are currently inventing the wheel themselves out of necessity, with considerable duplication of effort, and no assurance of adherence to best practices. The other exception is the organizations that are going ahead with critical app virtualization anyway, deaf to the cries (often literally) of their security-focused colleagues, with either a gung ho “security be damned” attitude or with eyes squeezed shut and fingers crossed while trying to erase that mental image of the white collar perp walker.
So with regards to the virtualization of the crown jewels, there seems to be a combination of stagnation, over exertion and blind faith, which is not really a reassuring combination. The fact that most existing non-critical apps and most newly deployed apps of all types are being virtualized, means that there is a significant backlog of critical applications that have not been virtualized and newly deployed critical applications that are not being virtualized securely, all with varying degrees of auditability.
It is, therefore, time for vendors to cooperate and stop claiming that their point solution “provides compliance.” (It may do so to a degree but often with very limited scope.) No single product can perform and report upon all the requirements of PCI, for example, but every product out there says it provides PCI compliance. Even if you’re not beholden to PCI, it’s a great standardized baseline of security best practices, it’s broad enough to be secure (defining a few hundred controls), but not so broad as to be unmanageable (some standards define thousands of controls). With this convergence of security and compliance, those two goals can potentially be achieved with one initiative. If a prescriptive, repeatable, modular multi-vendor framework was laid out that described exactly how to perform each of the security controls as well as how to orchestrate, report and assist with the preparation audit responses, in one place, wouldn’t that be a good place to start? Once one standard has been achieved, it’s not too difficult to expand coverage to more. There is at least one such cooperative initiative underway as we speak and it will be fascinating to see the reaction to it and maybe even some adoption of it. Maybe we can turn some of those potential perp walks into walks in the park.