From the desk of Warren Axelrod:
Sometimes you read about a vulnerability and say to yourself: “Could this be used for good?” That’s what happened when I read about researchers showing how “it is possible for attackers to precisely map where a target’s data is physically within the ‘cloud’ …” found in the October, 2009 article by David Talbot in MIT’s Technology Review.
Isn’t that just what we need to demonstrate PCI DSS compliance as well as conformity with the requirements of the Gramm-Leach-Bliley Act, HIPAA, Sarbanes-Oxley and the like?
The real issue, discussed in the article, is the reliability of such tagging. However, if the methods can be refined, does this offer a solution to the opacity issue which plagues cloud services? Can companies use such information to demonstrate compliance with data protection requirements?
In my October 13 blog, “Protecting Information Assets – Cloud Services Providers,” I discuss the need for physical and logical controls and the ability to demonstrate compliance with specific data protection regulations. And in my October 19 blog, “Catching Fraud – PCI DSS Compliance Software,” I express concern that compliance with laws, regulations and guidelines, though necessary in and of itself, does not guarantee security. So that any methods that will provide more of the information necessary to demonstrate good security and privacy practices are to be welcomed.
There are, of course, somewhat easier ways to track where customers’ data are residing. One way is to carve out specific equipment in known locations for particular client institutions, which are subject to regulatory oversight, particularly those in the financial services and health services industries. And it appears that cloud service providers are increasingly willing to offer such services, recognizing the huge potential population of applications that could then take advantage of the cloud. Such specificity will increase the cost of services, since some of the advantages of virtualization and rapid scalability will be reduced making the costs higher. However, with resources costing cloud service providers so much less, it is more than likely that the net cost of “knowable dedicated cloud resources” will still be much lower than most organizations could negotiate on their own.
Another potential advantage is that cloud services providers may be more receptive to your directly monitoring logs of the resources that are dedicated to your particular use – but that remains to be seen.
Powered by Compendium Blogware
Comments for Tales from the Cloud – Part 4: Every Cloud has a Silver Lining