Chris Day, security architect for global hosting provider Terremark, explains how the firm baked compliance into...
its Enterprise Cloud, or e-cloud, services. The ability to pass onerous audits like the Federal Information Security Management Act (FISMA) is non-negotiable for Terremark's government customers, but the service provider feels the investment is worth it. Fundamentally, there isn't much that's new about securing cloud computing environments; it's all about streamlining process.
You started on a cloud platform with the premise that it had to pass audits.
Chris Day: We designed [audit compliance] from the get-go because we knew we wanted to support civilian agencies. To do that, we had to be able to pass FISMA-Moderate for sure, and we're actually in the process of doing FISMA-High as well. FISMA auditing is an interesting process. I'd liken it to root canal surgery.
It's sometimes amusing how people think, "Here is cloud, and it is The Way," and it's a set product, and it's not.
Chris Day, security architect for global hosting provider Terremark
You can't go in and design something and then later go back and say, "Let's get FISMA audited!" If you haven't prepared for it, it's actually impossible. I think you've seen that with some of the other providers. The whole notion of "enterprise cloud" was to have enterprise service-level agreements (SLAs), enterprise mission support and enterprise business critical support. So we knew were going to have to support PCI, we knew we were going to have to support other frameworks. To do that, it's not a great mystery.
I'm still kind of astonished by some of the so-called experts and pundits -- who don't actually run cloud computing architectures -- that get out there and talk about cloud in such a fuzzy way.
Why isn't it a big mystery? Cloud security has been a constant irritant to the market.
CD: The reality is that cloud computing is a platform for IT services . You get all these cool new features -- elasticity and self serve and so on -- but from a security perspective, this doesn't radically change anything. There's no magic. You still have to go through whatever control framework you have as an organization, whether you're a regulated commercial agency or a government agency, whether (or not) you want to be conscientious in your information security.
There are some other issues that come into play, especially on Infrastructure as a Service (IaaS), from a forensics and instant response standpoint. Where machines can be rapidly provisioned, you can do something bad with it, de-provision it very quickly, and it goes away. How you handle that from a law enforcement perspective and things like that can get interesting.
Then how do you design for security in this devil's playground?
CD: What we did, as we designed and built our cloud infrastructure, is we wrapped around it a lot of security services. We wanted to be able to duplicate the maturity, from an infosec perspective, that an organization would need for any mission critical platform in their environment.
How does a regulated customer get on board?
CD: There's a whole product design review process. We have our baseline portfolio, and if someone comes to us and says "Hey, I really need X; if you have X, I can deploy in your environment," there's a package that gets filled out. That goes to operations -- we may have to get guys trained if it's a new system we have to deploy -- then we have support requirements for how it gets integrated into our dashboards for the guys in the NOC [network operations center] and the SOC [security operations center].
It's just the nature of the beast. It's sometimes amusing how people think, "Here is cloud, and it is the Way," and it's a set product, and it's not. It's a platform that has to be able to support flexibility.
We actually have a customer that's on a mainframe behind his cloud environment. He took co-lo space and we cross-connected it into his cloud environment. You have to be able to support these things.
So does Terremark have different levels of actual security in its cloud or is there a baseline that holds for everyone?
CD: They're all treated the same. There's a baseline of, for example, IDS [intrusion detection systems], managed firewalls, flow monitoring, other things, that are there for everybody. Whether or not people are paying dictates what additional services people get, and want. If they want log aggregation because they just want to do good security monitoring or they need it for PCI requirements, they'll choose to purchase those. It's more about want kind of deliverables you get from a reporting standpoint, what SLAs you get, things like that.
When a new customer comes into e-cloud, there's an on-ramping process. It's rapid, but not as rapid as vCloud Express might be. They're going to come in and say, here are the STIGs [Security Technical Implementation Guides] and ISOs [International Organization for Standardization] we want to use. We'll get those loaded in so they now show up in the interface.
Some of it's easier than others. Depending on the complexity of a custom platform, it can be challenging and take some time. We're doing one of those right now; we're taking a very, very large ArcSight deployment out at the customer's site and extending that into our vCloud Express. That takes time.
How do you ease the audits you undergo?
CD: We've got some people that are assigned to it. For example, I've got a guy who is the full time equivalent of [operations research firm] CNA. His job is to work with the customer and auditors, to shepherd them through it. If you've been around a FISMA audit you understand that it's not as check-the-box as PCI, there's a lot more subjectivity that comes into play, depending on your auditor. You've got to have somebody with enough experience to work those angles.
FISMA auditing is an interesting process. I'd liken it to root canal surgery.
The other thing is, cloud is new, and virtualization is new. The first FISMA audit we did, the auditors struggled. They said "we don't have any guidance for this," so we worked with them to develop some things that they then ran up [the chain of command] and got approved. It gets easier over time.
We've developed some custom scripts that allow us to go through and do checks, we have our audit book that shows all the problems in the past. An auditor walks in now, he gets a package that's all the things previous auditors have asked for [and] here's our attestation to that. They go through it and decide what they want to go check themselves; they tell us, we facilitate that. You get better, faster at it, but it still takes time. You're not going to get through a FISMA audit, a real one, in under 30-60 days.
Will cloud computing ever hit an ideal state of security, where storage and compute can be completely hands-off, completely transparent and secure, controlled by the user alone?
CD: I don't think we'll ever get to what's being described. No system will be like that, ever. That implies the bad guys are static, and that's just not the case. Cloud is just a platform -- there's no magic there. It's just another way to more rapidly and more elastically provide IT systems.
CHRIS DAY'S BIO:
Chris Day is responsible for managing global information security services for Terremark and its customers. Working with Fortune 1000 companies and financial services firms in the United States, Latin America, Europe, and Africa, Chris has managed numerous consulting projects in the areas of security audit, vulnerability assessment, computer forensics, and secure systems design. He has also been involved as an expert in various security incidents dealing with system intrusions, theft of intellectual property, harassment, and fraud.
Chris graduated Magna Cum Laude with a Bachelor of Science degree in Physics and Mathematics from the University of Miami.