Article: Compliance in the Cloud

Can a cloud environment be compliant?

For compliance and performance purposes, many consultants are recommending that their clients to migrate legacy web apps to the cloud.

Does this methodology resolve compliance issues? How can cloud solutions assist with compliance?

Recently I investigated use of a cloud provider to host an agile deployment system and some interesting observations resulted.

My client acknowledged that they were not agile, they had a cumbersome legacy network and just as heavy change processes; Setting up a web hosting framework in a cloud appeared to to be a good option.

However, PCI compliance was mandated along with internal policy that enforced IDS, SIEM and WAF requirements; and also physical audit compliance was required.

This meant that an auditor could ask an engineer 'Which disk holds the data for this application' and have a specific hard drive pointed out in a data centre.

This raises an interesting problem.

Many cloud providers will not allow access to their data centres, refusing access even to auditors. And, cloud technology being what it is, the data may be moved to another host within their infrastructure on whim.

In some ways, this may be thought of as a Good Thing, If you don't know where your data is...then no one else will either!

Unfortunately this also means that your data may turn up in odd places.

If, for example, your neighbor is sharing a virtual host with you - your data may be stored on the same physical disks as theirs, introducing a new problem. If their system is compromised and the disks are subpoenaed for use in an active investigation of data theft, your data may also be exposed through the legal system!

Also, unless the cloud provider performs disk scrubbing, partitions may contain old data that could be read by a new virtual machine.

Mitigation strategies - preventing loss of data through cloud

Encrypt all disk partitions containing confidential data. Pre-seed the partitions with randomness beforehand. Scrub disks on vms being decommissioned in the same way. Do not store the keys on any cloud hosted platform. Use a secure password storage and retrival system for all administration and encryption keys external to the cloud. Use VPN with MFA gateway for administrative access to the cloud consoles. This is to ensure the keys are unable to be detected as they are entered. Don't use an online service to maintain your key and password database.

Another area that needs to be considered is the effect of legacy vulnerabilities. Simply performing lift and place of an existing application will not improve the security of the application, if your application has vulnerabilties then it will still be succeptible to these when moved into the cloud. In some instances, applications need to be redeveloped to utilise updated hosting solutions.

Cloud providers such as amazon do provide PCI compliance, but how does that work?

They will provide certification for the platform (PaaS, SaaS and so on) that you are subscribing for, however your applications and configuraton must also be compliant as a stand alone solution.

For example, if you are to migrate your application into AWS to leverage their secure data centre and platform compliance however your application does not use https and has database connection strings stored in plain text, the solution is not compliant.

Where are we going here? Basically, to be compliant in the cloud requires careful planning. Ensure the application developers are competent in secure programming practices, and the virtual infrastructure deployed maintains the standards required.

If you are concerned that your hosting environment is not secure, contact Talbytech today for a free quote today!