Finding Compliance in the CloudVendors Still Maturing to Meet Regs
Security expert Alastair MacWillson says that's because heavily regulated fields fear a loss of control, and control is something they must maintain, especially when violations to mandates like the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act [HIPAA] carry such heavy penalties.
While cloud vendors continue to evolve, some haven't matured their security operations to a level with which all organizations feel comfortable, says MacWillson, who oversees security for Accenture Technology Consulting. Finding a vendor that satisfies the requirements of an organization's security goals can be challenging.
"Take a healthcare provider that wants to secure patient-related medical data on a public cloud," he says. "That company has to look at whether the cloud solution can actually be HIPAA compliant. "Then they have to look at whether the solution would cover requirements such as record-level logging, encryption, data breach notification and so on."
The challenge is getting organizations to invest in the cloud. "If a third party still lost the data, then there would be serious implications to the organization involved."
But MacWillson is optimistic, saying vendors' cloud security practices are oftentimes more rigorous than the security of the customers they serve. "[It's] an interesting development in the whole cloud space," he says.
During this first part of a two-part interview with BankInfoSecurity.com's Tracy Kitten [transcript below], MacWillson discusses:
- The evolution of cloud computing and the current state of cloud security;
- The risks industries, from financial-services to government and healthcare, face when dealing with multiple cloud providers; and
- Steps organizations must take to ensure ongoing compliance with regulatory mandates, especially when systems and databases are moved to the cloud.
Be sure to check Barriers Stunting Cloud Adoption, Part 2, when MacWillson discusses regional differences and varying international laws that impact the services and security levels cloud providers offer to businesses and organizations across a cross-section of industries.
MacWillson, who leads Accenture Technology Consulting's security business, works with business and government leaders around the world on issues such as security, trust, privacy and compliance. He also serves on the leadership team of Accenture's global Technology and Delivery service line, where his primary areas of expertise include global security, information security, business and operational risk, technology transformation and technology vision. Before joining Accenture, MacWillson spent 16 years with the U.K. Foreign Service, specializing in political and technical risk analysis in the former Soviet Union, the Middle East and the United States. He has been an adviser to the cooperative Society of Worldwide Interbank Funds Transfer on message security, the U.K, U.S. and Australian governments on critical infrastructure protection, and the European Commission on protecting citizen privacy.
Security and Compliance
TRACY KITTEN: You focus on helping companies hone their security barometers on compliance. As you've watched interest in an implementation of cloud computing grow, what security and compliance concerns or issues do you see?
ALASTAIR MACWILLSON: The challenge is that data privacy and security implications, along with the legal and regulatory issues, are all amplified in the cloud. The other factor is that, so far, security innovation, mostly around the security technology that's needed, has not really fully kept pace with the incredible speed of which the cloud mobile is moving or evolving. Of course that will change as cloud providers continue to mature their security operations and standards emerge to address the risk of the multi-tenant computing environment. But it's very much playing catch up. Overall the security concerns that worry IT leaders are really seven-fold. One is trust, to trust the provider. Do you trust the people at the provider, and do you trust the way your people are going to connect to it? Another factor is where the data is stored. I guess that's one of the big ones, particularly in highly regulated countries. The mechanisms to measure, manage and report on regular compliance, the terms and conditions and services and availability, they're all serious considerations.
A logical response to these concerns is that where there are these security practices, which there are a lot, they equally apply to cloud. What I mean by that is the cloud provider follows the same security procedures and policies that its customer does and expects that if they adhere to the same regulations and follow the same laws, for example, than the customer's risk posture should be unchanged. However, if providers do fall short, then the customer's risks obviously are increased. But one other factor I would say as a final comment is that, what we're seeing increasingly is that in some cases, the security provider's practices are more rigorous that the customers, so the cloud-based provider's practices are more rigorous than the customer. In some cases these providers are doing security better than most organizations that want to use it, which is an interesting development in the whole cloud space.
Gaps in the Cloud
KITTEN: That is an interesting development, because I did have a question about how organizations can work with third-party providers, and perhaps address some of the gaps that may exist between connecting to an in-house network versus this cloud environment. The cloud of course isn't new. It's been around in one form or another for the last decade, but we see a number of organizations across numerous segments taking more interest in cloud computing. The cloud can be risky though especially if an organization outsources or relies on more than one cloud vendor for separate yet tethered operations. Can you tell us about some of the gaps that you've seen in cloud solutions? And again as you've noted, sometimes the cloud vendors have higher security standards than the actual organizations? But if you are working with more than one cloud vendor, what are the risks there?
MACWILLSON: The real underlying problem is that the security and data privacy laws and the underpinnings of the regulations and standards that are currently enforced were instituted pre-cloud. I mean many of them are all now 18 years old, particularly the ISO standards, and they often reference other technical standards that really don't attempt to decipher or address cloud issues, because nobody could visualize virtualization being as extensive as it is now.
Problem areas are things like continuity of cloud services, evidence of controls operating in a virtualized environment, or how you operate secure architectures across jurisdiction, so that's one of the problems. If you've got multi-vendors, then of course those problems are not only amplified but they're replicated across all the vendors. Another gap is around clarifying the roles of the data owner, the cloud provider, and in some cases the system integrator in how they deliver legally compliant solutions. From a legal perspective, there's no clear division of responsibility between the cloud provider, application manager or system integrator and the data owner. That's a real issue in terms of unscrambling how the organization will deal with that. The problem is these regulations only really care that things get done, no matter who actually does them and makes the data owner responsible for the outcome, which is probably right.
But unfortunately, many data owners, i.e. the enterprises that are using the data, putting the data in the cloud, and the providers, have misperceptions or misunderstandings about their individual responsibilities. These factors are really hindering the evolution of what customers see as a secure, compliant, well-thought-through cloud solution in many cases.
KITTEN: I wanted to ask about financial services specifically and some of the concerns that the cloud poses when it comes to compliance with industry standards and mandates, such as the PCI compliance standard for card payments and how financial services providers can ensure the transactional information is protected and encrypted across the payments chain. The PCI standards for virtualization are a little new and they're basically just recommendations. Some industry pundits have been critical of the PCI Security Standards Council's guidance on virtualization, namely because virtualization has been out in the field for so long and any organization that's already invested in a cloud solution, that handles payments, could be vulnerable to risks that haven't even been addressed. Where do you see security gaps when it comes to the payments chain and when we connect this payments chain in a cloud environment, what are some of the security concerns that you see there?
MACWILLSON: That's an interesting question because a lot of organizations are seeing a big opportunity to move PCI-type processing out in the cloud. There are quite a few cloud-based providers that may label themselves as payment card or industry ready, or even validate to this PCI Data Security Standard compliance. But it's important to realize that doesn't mean that an enterprise is automatically PCI DSS compliant in their position or in terms of the services that they provide. Now the unfortunate sort of misunderstanding about all this is that PCI, as you well know, really has teeth in the regulatory perspective. It's quite advanced in the way it needs regulatory controls to be put in place.
But here's a good example of where cloud-based providers are really struggling to keep up. The only way a customer could become compliant, automatically compliant, would be if their PCI compliant cloud-based provider manages the entire application stack and also the underlying platform, because there's just so many different elements of control that need to be put in place. There's no provider that does that at the moment, so organizations have to engage in an effort to determine what's missing in terms of what their cloud-based provider is actually providing from a security controls perspective, and then that may include things like missing documentation, certain crypto elements that are missing like key rotation and malware, or intrusion detection-type capabilities. Most organizations that want to go down this road can really leverage the benefits of PCI out in the cloud, but they do have to recognize that they've got to do some additional stuff to get there.
KITTEN: What about financial services generally? What concerns do you see when it comes to conducting services in the cloud that relate to finances?
MACWILLSON: My commentary about PCI really affects lots of industries, even more retail stuff obviously, but financial services generally have a very conservative perspective about cloud and are slow adopting because of that. I think it's largely because perceptions about the relative immaturity of security and data privacy remain pretty big concerns, definitely one of the big hurdles for adoption, and I think that's because they've got very specific challenges.
At the moment, most financial services organizations really struggle with highly fragmented landscapes of technology and data requiring segmented security solutions across different business units or different business activities. At the moment, their security measures can be quite ineffective either from a cost or an operational performance basis. Now they recognize that those environments still carry a lot of risk and cost forms. The key to looking at alternatives such as cloud and to readily adopt cloud ... is if there was more consistency and automation in the security and data privacy was more reliably provided with advanced technologies. Those things aren't really there yet, so it's a lack of confidence that they can move from a very complex, current environment to a situation where some of the issues that they've been facing over the years are still not addressed, or not being addressed, by a move to a new form of service delivery.
We're seeing some institutions actually thinking about this, not because of public cloud but because of the opportunity around virtualization for a start, but also how virtualization would work in a private cloud. And they're starting to think about how they can segment their data rather than segmenting the different parts of their business or business activities, which they have done historically. They're getting ready for the opportunity, but I'm not sure they've gotten to where they're brave enough or built the confidence to actually move on to that opportunity for high-risk mainstream applications just yet.
KITTEN: What about other industries such as healthcare or even government? What specific security or compliance worries do you see there? One area that I'm thinking of is HIPAA, for instance, which comes to mind. How can healthcare providers ensure that the cloud vendors that they work with are adequately protecting patient data and records?
MACWILLSON: That's a very interesting question because there's a lot of interest. And the irony of that interest is that because of the nature of particularly protecting the sensitive data in healthcare, also across government, and the need to segment data to very sensitive, restricted and unclassified, it really represents big opportunities for a number of industries, healthcare, defense industries and of course government. But the challenge is the maturity of cloud-based providers hasn't quite reached the level that organizations will be confident that it could happen for their particular purpose or application.
Take a healthcare provider that wants to secure patient-related medical data on a public cloud. That company has to look at whether the cloud solution can actually be HIPAA compliant. Then they have to look at whether the solution would cover requirements such as record-level logging, encryption, data breach notification and so on, all of those many requirements that the regulations need and across government that would be the case. There are some cloud-based providers that are getting there, but they're not yet. The challenge is for somebody even brave enough to go into this. And even with some of the measures that I've said they need, if a third party still lost the data then there would be serious implications to the organization involved, which they're obviously clearly nervous about. Security controls that address the gap would really need to be implemented in addition to the existing controls to give organizations confidence that now is the right time to do this, particularly in the healthcare space because the penalties are quite high for breaches as you're probably well aware.
This is the end of the first party of a two-part interview with Alastair MacWillson of Accenture. Please see part two where MacWillson addresses regional differences and varying international laws which are impacting the services and security levels cloud providers are offering to businesses and organizations across a cross section of industries.