Finding a way to verify security within cloud provider networks is essential but won’t be easy, a cloud security expert told attendees at the Security Standard conference.
Customers need to know how data is protected, where it resides and whether it can be transferred to another provider if need be are at odds with providers’ need to keep their security measures secret, said Vincent Campitelli, vice-president of IT risk management at consulting firm McKesson Corp.
Providers simply don’t have the resources to allow each customer to inspect their networks and perform periodic audits, he said. “That’s an unsustainable mode.”
On the horizon are new models for checking out provider networks that are just being talked about, he said, including the notion of an “uber cloud” service provider that has vetted the security, infrastructure and standards of an array of cloud providers and can attest that they comply with standards.
Those standards have yet to be formulated and would have to meet customer requirements, he said, but they may emerge from work being done by the Cloud Security Alliance.
Traditional third-party assessment of physical networks won’t work in cloud environments, Campitelli said, because the assessors aren’t qualified to assess cloud architectures. “They need tools and new skills,” he said.
A more attainable goal is services that would allow customers to manage security configurations, audit logs and self-manage services. They would also be able to impose data leak prevention measures, perform patching of applications and execute vulnerability analysis of the services they buy, he said.
But even that wouldn’t be ideal. “How do you know the tools work and do what they say they’ll do?” he asked. “Providers need to have customers gain confidence in these tools.”
Another speaker at the conference said that information needed to make good decisions about cloud security isn’t generally available from the service providers. “Data you’re likely to want is not available, and if it is available, it’s not available to you,” said Warren Axelrod, research director for financial services with United States Cyber Consequences Unit, a private consultancy.
The risks that customers want to know about aren’t new, they’re just in a new environment where it’s difficult to assess them. “They’re not new risks; they’re a new representation of them,” Axelrod said.
That poses a problem for corporate IT security professionals pressured to approve use of public cloud services because they are so much less expensive than traditional in-house infrastructure deployments. But that means losing control over data.
“If you lose control, you still get the blame. That’s what regulators tell you,” he said. “It’s tough to be responsible without having the control.”
The best course is for corporate teams of IT security and legal experts to assess the downsides of data compromises and then only submit data whose value is low enough that if it is compromised, the costs are bearable, he said.