Managing Security and Compliance in the Cloud
For many IT departments, ensuring that customer data is secure and in regulatory compliance rarely happens due to the consumerization of IT.
Because the internal IT organization is often perceived as overly rigid, employees have taken it upon themselves to solve their own data access and management issues. That frequently means accessing consumer-grade file-sharing services in the cloud with little thought to compliance ramifications.
To address the root cause of the compliance problem, Kent Christensen, virtualization practice manager for the IT services firm Datalink, says IT organizations need to truly manage IT as a service. Only then does IT have the agility to deploy private cloud services that provide the level of flexibility end users require without compromising compliance requirements.
“The awareness of these issues is picking up exponentially,” says Christensen. “This is one reason you see so much interest in private clouds.”
Of course, many private clouds exist in an external data center due to the interest in cost savings. But, in many instances, customers fail to take in account the fact that regulations require that controls be in place for the IT administrators that have access to those clouds.
“The thing people have to remember is that in a lot of instances being in compliance only applies to a single instance of time,” says Major Hayden, chief security architect for Rackspace. “You may have a golden image for your application but you might not be aware of who has an encryption key for your system at any given moment.
For that reason Rackspace became a customer of SSH Communications, which recently launched a risk assessment application that helps IT organizations discover who has access to what Secure Shell (SSH) keys.
“SSH is a huge potential problem in the cloud that a lot of people have not given much thought to,” says SSH Communications CEO Tatu Ylonen.
Of course, a major part of the compliance in the cloud problem would be solved if organizations implemented better security. But a global study of 4,205 IT professionals conducted by the Ponemon Institute on behalf of Thales e-Security, a provider of encryption software, found that 53 percent of organizations transfer data to the cloud regardless of whether it’s encrypted or not. And even with all the awareness concerning cloud security, another 31 percent said they plan to transfer data, regardless of whether it’s encrypted, into the cloud in the next 12 to 24 months.
“There’s a perception that the cloud service provider is going to be responsible for security,” says Richard Moulds, vice president of product management and strategy for Thales e-Security. “But it seems a little too cavalier to assume that’s the responsibility of the cloud service provider.”
Obviously, not all data needs to be encrypted. But when it comes to the cloud, organizations might want err on the side of encrypting as much data as possible when they don’t know who has access to it or where it might end up.
“When the goal is to provide higher levels of security, compliance becomes a by-product,” says Mahmood Sher-Jan, vice president of product management for ID Experts, a provider of data breach risk assessment and analysis tools. “But it can be hard to get the business to understand the return on making those kinds of investments.”
For that reason, ID Experts has been promoting the adoption of the ANSI PHI Project, which is intended to help organizations make the financial case for more investments in breach protection.
There’s no doubt that in terms of IT, anything to do with compliance and security is fraught with risk. But ultimately it’s the job of the CIO to ensure these issues don’t blindside the organization further down the road. Initially, that may mean focusing on training and educating employees about the risks associated with using shadow IT services in the cloud.
But until IT is able to offer a credible set of alternate services, there will always be tension between disaffected employees and IT that will spawn any number of compliance issues. Rather than treating those employees like criminals, the better part of valor will be to securely provide the agility that employees have come to expect from IT.