Don’t Let This Year’s Infosec Trends Cloud Your Judgement

The British summer already seems to be in retreat; outside it is cold and gloomy with angry looking rain clouds on the horizon. It has always struck me as an odd analogy as there are plenty of negative connotations being associated to fluffy things which lack substance and drift along on the wind without control. For me, the perfect day is a summer’s day without a cloud in the sky.

Last week, I attended Infosecurity Europe and all things cloud related were definitely being promoted as this year’s must have. Cloud Computing is really being used as a term to describe the use of infrastructure as a scalable service, abstracting the user from the technicalities of capacity planning, configuration and maintenance of the underlying systems. For those old enough to remember, this is quite similar to using a shared mainframe environment and buying MIPS from a service provider.

Larry Ellison, CEO of Oracle Corp., said that Cloud computing is "everything that we already do" and there will be little effect other than to "change the wording on some of our ads." Frank Gillett, VP of Forrester Research, suggests that the term is being misused to spice up the marketplace rather than being a dramatic change or real innovation. Gillet also refers to "cloud washing" to describe the relabeling of existing products and services to take advantage of the hype. To some extent I believe that they are right though perhaps within our field of Information Security something is missing; something with the transfer of responsibilities.

The benefits of a scalable and dynamic environment, which doesn’t require heavy investment in systems or resources, are clear. However, the current offerings appear to neglect the keys information security issues.

If we view the Cloud Computing provider as a Service Provider then as users send their cardholder data to the Service Provider, requirement 12.8 of the Payment Card Industry Data Security Standard (PCI DSS) would be applicable which requires service providers to implement PCI DSS policies and procedures for cardholder data security. This poses a slight issue as the Cloud Computing providers. The Cloud Computing provider concern themselves with the technical responsibilities of providing a scalable service, being data agnostic, and leaving the users to concern themselves with their user data. With PCI DSS however the Cloud Computing provider can no longer be data agnostic, they must acknowledge their own responsibilities for securing the data.

PCI DSS is also concerned about scope, which is defined by the systems that store, process and/or transmit cardholder data and any connected networks. In a dynamic and scalable environment, it can be hard to define the scope of the environment. Therefore providers are left with the issues of whether to define the environment and apply controls only to that environment or whether to apply all of the controls to all possible environments.

Then we have other issues to consider, if there were ever a compromise how can we obtain forensic images for the investigation, how can we prove who had access the environment, where are the audit trails secured and who reviews the audit trails for exceptions, in fact, what is defined as a security exception within a particular environment and who would be liable for the fines and costs associated to any compromise? The compromise of 49 websites of the US Congressional House following the State of the Union address show that even with the budget and resources of a superpower that these issues are hard to address.

I not suggesting for one moment that any of these issues are insurmountable though seek to highlight that there are questions that still need to be answered; the abstraction and shift of control of the environment from the user to the provider means that the providers must provide the answers to these questions.