Whether you’re in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren’t able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing.

There are almost as many definitions of “cloud computing” as there are clouds in the sky, but this one, penned by Michael Crandell of Rightscale a few months ago seems to sum it up quite beautifully. Cloud computing is:

the notion of providing easily accessible compute and storage resources on a pay-as-you-go, on-demand basis, from a virtually infinite infrastructure managed by someone else. As a customer, you dont know where the resources are, and for the most part, you dont care. Whats really important is the capability to access your application anywhere, move it freely and easily, and inexpensively add resources for instant scalability. –Michael Crandell, RightScale, June 2008. (Thanks to Peter Laird of Oracle Corporation for pointing to this definition during his presentation on cloud taxonomy at Interop New York a few weeks ago.)

The parts of this definition that unnerve me most are managed by someone else and you dont know where the resources are. Ive not yet investigated any of the usage agreements or discussed this with the companies that offer cloud services, but my guess is that organizations have neither the authority nor the ability to establish log settings, maintain logs, or view logs of any activity conducted on that virtually infinite infrastructure.

This is particularly worrisome if you are (and I really hope you arent) using cloud computing services for storing sensitive/protected data. Wouldnt you like to know whom elses data is stored on the same server as yours? Wouldnt you like to know when, by whom and where to your data is copied? Wouldnt you like to know (in the quite likely instance that the cloud data center is employing the use of server virtualization) when the server VM holding your data is migrated to some other server? Wouldnt you like to know that all of these things were done securely?

There are other little security curiosities gnawing at my brain with cub teeth. For example, its conceivable to assume that the superior load-balancing capabilities inherent in a cloud server farm make denials of service less likely; but if a denial of service did occurwhether through an attack or some unintentional outagethe impact would be quite keenly felt by many organizations.

Mind you there are some cute, elegant things about cloud services that do make life feel both more fun and more civilizedI just wouldnt be too hasty moving critical data and services into the cloud.

Ill soon be pestering the major companies offering cloud servicesGoogle, IBM and Amazon, for startersfor answers to these questions. Well be devoting the entire December issue of the Alertour publication for CSI members onlyto the topic of cloud computing and security. Security in the cloud will also be discussed during our Web 2.0 Security summit during our CSI 2008: Security Reconsidered conference in November.

Posted in: CSI Events, Cloud Computing, Compliance, Web 2.0.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a reply, or trackback from your own site.