Wednesday, January 18, 2012

Cloud security and compliance

Can we move our workloads safely into the cloud and expect everything to be like it used to be?

When you move to the cloud you normally get no visibility into to how the environment looks like. It's all about trust. Some providers may expose their logs, but that's not currently a common thing to provide.

One problem is that the cloud providers logs are not differentiated between multiple customers living in the same cloud.

We miss a cloud auditing framework (API) that could easily give you such visibility.

Some cloud providers may have some tools that gives you some visibility into the compliance status through tools such as Catbird.

Do you have the right tools for auditing your cloud security?

How do you qualify external auditors before hiring them for a cloud assessment?

Even though VMware owns the hypervisor, it still takes an eco system to make sure that not only the platform, but the workload on top of it is secure and locked down.

Different businesses have different regulations and requirements.

In order for clouds to become PCI, HIPPA, SOCKS, -etc compliant there is a need for third party tools. If you move into a compliant cloud, the responsibility for your data (that it's compliant) is still on the data owner (customer), but there are some variations around this in different countries.

Security is one thing, compliance is another and they need to work together.

These things and more is being discussed in episode 75 of @texiwill's Virtualization Security Roundtable.

In ancient times, before people had TVs, computers and PDAs, people used to look into the fire instead. This video was shot inside my grill hut.