The third level of the OCF will be based on a continuous audit of the CSP's security properties. Expected to be available from 2015, the assessment will examine if a CSP fulfils the Cloud Control Matrix, Cloud Trust Protocol and CloudAudit (A6).
As with any new technology, cloud or virtualisation technologies present new risks to the enterprise. This is especially so as most enterprises tend to "transfer the practices they use for technology on-premises to the cloud or virtualised environment," said Siah. For instance, enterprises need to ensure antivirus scans for virtual machines (VM) do not happen concurrently as that will overload the hypervisor, thus causing an application outage or slowdown. Another risk of cloud and virtualisation is inter-VM attacks. "In a virtual environment, you don't know who your neighbour is so you may not be aware if the machine next to you has been attacked and if you're at risk of an inter-VM attack," he said. Enterprises thus need to think through these risks before embarking on their cloud journey.
Siah also highlighted the importance of virtual patching of vulnerabilities. "[Since] threats today are able to jump over your organisation's current defences, perhaps due to a vulnerability that is not patched, ...and patching windows have shrunk from months to days, virtual patching is your last line of defence." This is because virtual patching will prevent malicious traffic from reaching the vulnerable application, he explained.
Since insecurity around cloud and virtualisation will always be present, "there is a need for global collaboration between the public and private sectors and the need to be transparent," asserted Siah.
Safely Moving to the Cloud
Lee Han Ther, Regional IT Security Compliance Manager - Asia Pacific, Security and Infrastructure Management & Operations (SIMO), Technology Services-IT services, British American Tobacco, continued the topic of cloud, with a focus on securing the journey to the cloud.
"Cloud computing risk is a combination of IT outsourcing, virtualisation and legal risks," he said. Security controls should thus be implemented at the various stages of the cloud journey to minimise the risks.
Lee Han Ther, Regional IT Security Compliance Manager–AP, SIMO, Technology Services–IT Services, BAT
According to Lee, there are four stages to a cloud implementation journey: diligence, contracting, ongoing management and termination.
Organisations that are in the midst of selecting their cloud service provider (CSP) are in the diligence stage, he explained. In order to select the right CSP, enterprises need to draft the key requirements and specify all the security controls required in the Request for Proposal. A review of the CSP's standings - in terms of financial health, performance record and company certifications such as ISO - is then in order. Enterprises should also request CSPs to perform a self-assessment to ascertain if they will be able to meet the organisation's required security and privacy requirements.