Discover PerformanceHP Software's community for IT leaders // April 2012
Cloud compliance: Clearing the haze
Moving applications to the cloud can complicate your security landscape, making it even more difficult to stay in compliance with standards such as PCI.
As organizations move to the cloud, they are dramatically changing the nature of the network perimeter and making a deeper commitment to virtual machines. These issues are compounding many security challenges that first arose with virtualization. Most notably:
- Computing resources are spread out—sometimes around the globe.
- Visibility into storage and security of data is compromised.
Yet PCI (payment card industry) and other standards dictate full visibility and control of your data. Businesses need something to bridge this widening gap.
The cloud era will require enterprises to change their approach to compliance. With heavily virtualized and cloud-based networks, organizations will need automated assistance to vet the security products they use and provide a simple, methodical way to assure regulators—and themselves—that the entire environment is tightly locked down.
The crumbling perimeter
Traditional methods of securing the network focused on the perimeter. But thanks to virtualization and cloud, the perimeter isn't what it used to be. Purely physical appliances aren't enough to protect today's non-contiguous perimeters. Instead, companies need purpose-built solutions targeted toward virtual environments.
There are other complications as well. Lack of visibility makes it far more difficult to trace and control activities from within the network.
"Highly virtualized enterprises are much more vulnerable to a well-placed insider attack," says Greg Adams, vice president of Enterprise Security Products at HP TippingPoint. "Threats that come from inside the network are now far more difficult to detect."
Additionally, for those electing to hire a public cloud service, security issues are compounded by the fact that enterprises and cloud providers are not always in agreement about who bears the responsibility.
These facts have not escaped the notice of regulators. The most recent version of the PCI standard introduced dozens of new, security-related components, many of which are specifically targeted toward virtualized environments.
Getting insight into your next-gen network
Regardless of who's managing the servers that store and transmit data, to achieve compliance enterprises must:
- know where their data is and how it is moving through the network;
- understand how things are being accessed in the cloud; and
- be able to prove to auditors and regulators that every security requirement is being met.
In a highly virtualized, cloud-distributed, next-generation network, this can be challenging, to say the least. Creating proof of security compliance requires meticulous vetting of each security solution to ascertain—and then document—its capabilities in relation to each requirement. Such a manual mapping would fall out of date easily and require manual labor to be kept current.
"Many businesses are working hard to assemble a security map, but they usually end up with something unreliable," Adams says. "There's no end-to-end approach today—but that’s changing."
A GPS for compliance
Organizations need help to take the guesswork out of the process of validating compliant security architecture. Demand is already great for a simple, automated way to connect the dots between “what are we required to do?” and “what are we already doing?”
A reference architecture for PCI compliance, for example, is an effective way to show that the products you use map directly to particular PCI standards. To be effective, it would incorporate multiple security technologies specifically working with virtualization technology. Rather than surveying your network on your own, using the equivalent of a map and a compass, a reference architecture can be a GPS signal, guiding you right to the information you need while minimizing the extensive time and effort normally required.
Additionally, if the reference architecture is objectively validated by a third party, it can satisfy the majority of requirements in an audit with little to no additional effort. The most complicated audit requirements would no longer plague organizations with uncertainty.
HP is working with independent IT GRC firm Coalfire Systems Inc. to validate a reference architecture. The architecture will feature the necessary security components working with the industry’s leading virtualization software to provide a detailed description and certification report that customers can provide to auditors. This will let them satisfy 110 of the 200 controls, as specified by PCI-DSS 2.0.
Solutions of this type will provide a major way forward as security concerns increasingly address both the proliferation of cloud technology and the ever-changing regulatory landscape. Find out more at http://www.HPEnterpriseSecurity.com/solutions/cloud-security.