When hackers raided Equifax’s system, they absconded with the personal data of 143 million individuals. In the blink of an eye, a group of people nearly half the size of the US population had their identities stolen from one of the three major credit bureaus.
Several Equifax executives resigned, but the fallout remains. The IT team had failed to update and patch Apache Struts, which is used to power a system that allowed individuals to dispute agency records. Without the proper updates, it served as an open window for the attackers to get full access to the site.
This was a breach of an on-premise, legacy corporate data center – not the cloud. However,with these large-scale breaches becoming increasingly common, people are interested in determining if cloud data is as secure as cloud service providers (CSPs) would have them believe.
When we look at the myth and reality of compliance concerns in cloud and virtualised environments, we are addressing security. The reality is that this is an environment that is well-suited for data protection with the right safeguards in place. We must also rise above the faulty opinion that regulators are against cloud computing.
>See also: Debunking the multi-cloud myths
Myth: Your data centre beats cloud on security
Here are some thoughts from heavy hitters on the topic.
New York Times deputy tech editor Quentin Hardy noted that cloud data is likely protected by a higher degree of security than data stored in a traditional data centre setting. Hardy noted that some of the most highly skilled computer scientists in the world are working to make these cloud systems virtually impenetrable.
In his argument for the security of cloud in TechTarget, David Linthicum talks about “the folded arms gang” – those who feel that cloud computing does not have the mechanisms in place to create a truly secure or compliant setting. Linthicum argues that you should be even more cautious about anything that you put onto your own servers. His own assessment of traditional and cloud ecosystems had revealed the latter to have better security than the former.
Gartner’s report is perhaps the most devastating news to those who don’t believe in the cloud. “[T]he security posture of major cloud providers is as good as or better than most enterprise data centers and security should no longer be considered a primary inhibitor to the adoption of public cloud services,” the Linthicum said.
In other words, a cloud that is built credibly and with the most robust, cutting-edge tools is more compliance ready than a legacy data center. The analyst projected that the number of breaches experienced by infrastructure-as-a-service systems will be at least 60% lower than those of legacy environments by 2020.
Myth: Regulators hate the cloud
Both standards bodies and the federal government have become increasingly receptive in moving past cloud’s virtualized design and treating it as a viable form of technology. For instance, the PCI Security Standards Council has issued Cloud Computing Guidelines.
More mainstream attention has come from the Department of Health and Human Services (HHS) releasing its Guidance on HIPAA & Cloud Computing – relevant to healthcare organisations and heir service partners that process or handle electronic protected health information (ePHI). Those parameters are particularly interesting because they represent an acceptance that, with the right safeguards in place, cloud is equipped to meet the strict privacy and security requirements of federal law.
The HHS instructions note that cloud is considered an acceptable means to protect this extremely sensitive, legally protected data so long as the firm working with the cloud provider has signed a business associate agreement with them. The HSS specifically points out that public, private, and hybrid clouds are all acceptable provided that HIPAA compliance standards are met.
Myth: Compliance with cloud doesn’t require anything from you
Compliance is still a dual responsibility between the cloud service provider and the regulated company. The PCI guidelines state that “[c]lear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement.” This language is similar to the notion of a business associate agreement (BAA) under the HHS. These agreements are essential to understanding and delineating roles and responsibilities.
>See also: Truths and myths about the cloud opportunity
Myth: Virtualisation is an enemy of compliance
Clouds are virtual machines, but what about virtual machines that are created in a legacy environment? You can be fully compliant provided you meet the specific needs of a virtual environment – as detailed by the PCI DSS Virtualisation Guidelines.
For example, it is important to pay special attention to the hypervisor, since it is an attack surface that is unique to virtualisation. You should also be careful about mixing virtual machines with different trust levels, since an intruder could use those with weaker security controls to get to ones with more sensitive data. A virtual environment, can meet the needs of all the major standards and regulations just as well as a physical setting can.
Myth: Compliance is easy
The truth is that compliance is complex. It is important to carefully vet all providers to help you protect compliant data. It is also critical to make sure that appropriate safeguards are in place, such as encryption and backup, along with a clear understanding of processes, responsibilities, and accountability.
Cloud is being used today in compliant settings to improve security – agreeing with the notion from thought leaders that this technology is game-ready for any organisation.
Sourced from Marty Puranik, CEO of Atlantic.Net