Happy New Year!
Now that we've relaxed, celebrated the holidays, and rung in a new year with optimism and hope, it is time to get right back to work! :-)
To begin 2017, let’s look at attestation and why it is necessary for regulated cloud environments.
Now that we've relaxed, celebrated the holidays, and rung in a new year with optimism and hope, it is time to get right back to work! :-)
To begin 2017, let’s look at attestation and why it is necessary for regulated cloud environments.
Within the context of regulated industries, attestation is the ability to provide documented evidence to prove an assertion. Such evidence might be needed to establish the “good” or “correct” configuration of a server hardware, server BIOS, embedded firmware, hypervisor, container, operating system, device drivers, middleware, and applications.
As an example, a good configuration of an application environment means that every element of its executable code, libraries and configuration files, has traceable lineage back through build control and source control systems. Typically, all components are appropriately licensed and have gone through appropriate vulnerability assessment processes. Any change could only be made to code in a regulated application by following change-control processes updating attestable evidence.
While change control processes within the software development lifecycle, and DevOps mechanisms are well understood, perhaps there has been less ability to attest configurations in a regulated cloud environment. This inability is partly because certain infrastructure responsibilities may shift from the regulated entity to a cloud service provider.
For example, can your cloud service provider attest any evidence about the safe configuration of their server, firmware or hypervisor? If they do, what safeguards and change control mechanisms are in place to cover changes to the configuration, whether planned, unintentional or malicious, a situation known as “configuration drift.”
Unless a cloud service provider can both attest and ensure a known configuration on an ongoing basis, the most cautious regulated firms will typically require bare metal capabilities of their cloud service provider. Bare metal uniquely enables the regulated entity to control the configuration, detection, and attestation.
Make no mistake, attestation of configuration across many tiers of infrastructure is necessary but can be a burdensome and expensive challenge. Some frameworks and tools simplify the operationalization of attestation. For example, take a look at Cloud Raxak, a cloud compliance firm founded by former IBMer and friend, Sesh Murthy. Cloud Raxak documents configuration, and detects/addresses drift from boot time onwards through multiple stack tiers. https://www.cloudraxak.com
Attestation will be a recurring theme for regulated cloud in 2017, a year in which we can finally expect to see a widespread and accelerated adoption of Cloud Service Providers by regulated firms.
Excellent post John. You make several really good points.
ReplyDeleteConfiguration management especially in the cloud is at the heart of preventive security. Making sure that your infrastructure is in a known good state at the time of creation, and is then periodically checked and remediated can dramatically reduce the attack surface.
As you point out on the cloud it is easy to stand up infrastructure quickly but managing the security is now an exercise for the user. Managing this at scale has not been easy.
As you also point out clouds like SoftLayer that enable you to get bare metal machines enable to verify your configuration from a hardware root of trust. This helps speed the movement of regulated workloads to the cloud.
I look forward to your further posts on the topic