Virtualization Field Day Delegates Discuss Cloud Security and Compliance
The Virtualization Field Day delegates joined the Virtualization Security Podcast as guest panelists on 2/23 and the topic of the day was cloud security. There were questions about compliance, security of the tenant, and security of the administrators, and legal issues. There were answers from Rodney Haywood (Rodos), another Virtualization Field Day Delegate and cloud architect as well as the podcast standard panelists. So what did the questions boil down to?
Previously, we had a discussion on cloud security from the tenant perspective (Virtualization Security is NOT Cloud Security!). However, we never did show this from the cloud administrator perspective. Even so, the tenant perspective becomes quite important when you talk about compliance, as the Tenants must rely upon the Cloud Provider to guarantee compliance. As such, any compliance audit would soon point to the cloud provider documentation about compliance. Given this, it is important that you choose Cloud Providers that have the compliance documentation required of you available for perusal before you enter the cloud. Why? If your cloud instance carries a requirement to be PCI compliance, then your Cloud Provider also has the requirement of being PCI compliant and should be able to prove this to an auditors satisfaction. This proof is usually in the form of a QSA report of the cloud providers cloud compliance. Yet, just having the document is not enough. As the tenant you need to understand what aspect of the cloud was in scope when the report was created. Why is scope important?
However, if all the logs you want are those from within your Cloud Instance, it is quite easy to create and setup a log server within your cloud instance and use that for all your non-cloud tenant administration events gathering. At least in this way a tenant can correlate its own data for its own applications and not rely on the cloud provider to manage the application log files for them. Even so, this solution only works for IaaS and PaaS style clouds. For SaaS clouds we are back to the difficulty of software not designed to track individual tenants.
To read the entire article, please click on this link http://www.virtualizationpractice.com/blog/virtualization-field-day-delegates-discuss-cloud-security-and-compliance-15037/