McAfee is not alone in warning of the threat of APTs to all businesses (not just military and government interests).  The Security for Business Innovation Council released a report titled “When Advanced Persistent Threats Go Mainstream,” which contains security recommendations from “16 of the world’s leading security officers” on how companies make themselves vulnerable and new approaches for taking defensive measures against this escalating threat.  The Council’s report notes that APTs are no longer only targeting the defense industry, they are attacking enterprises across industries and moving beyond seeking credit cards to “pursuing high-value digital assets such as intellectual property, across mission-critical operations, and other proprietary data and systems.”      

One of the preventative recommendations made in the report is to “activate smart monitoring.”  Specifically, the report describes how some security teams are using an innovative approach modeled on data analytics used for business intelligence to detect intrusions.  Those security teams are using “an analytical engine to sift through massive amounts of real-time and historical data at high speeds to develop trending on user and system activity and reveal anomalies that indicate compromise.” 

The report also mentions that one of the current challenges facing security teams using data analytics is how to store and process that massive amount of data.  A blog post by EMC’s Chuck Hollis describes how new products from EMC and RSA use the cloud to combine storage and data analytics capabilities to provide real-time situational awareness designed to stop complex cyber threats.     

The security concerns related to virtual environments are heightened for companies in the payment card industry.  Those companies face a difficult task of adapting the Payment Card Data Security Standard (PCI DSS) developed for logical environments to virtual environments, like cloud computing environments.  The PCI Security Standards Council released guidelines on June 14, 2011 to help merchants, processors, card issuers, and service providers bridge that gap.

The PCI DSS Virtualization Guidelines Information Supplement provides:

• Explanation of the classes of virtualization often seen in payment environments including virtualized operating systems, hardware/platforms and networks
• Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each
• Practical methods and concepts for deployment of virtualization in payment card environments
• Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
• Specific recommendations for mixed-mode and cloud computing environments
• Guidance for understanding and assessing risk in virtual environments

The Appendix to the Supplement describes in detail how each of the 12 broad PCI DSS controls that are mandated for logical environments, need to be applied in a virtual setting.

For cloud computing, the Supplement identifies the extent to which enterprises are responsible for ensuring compliance and the extent to which cloud vendors are responding for ensuring the right controls are in place.  If companies choose to have their PCI workloads hosted on multi-tenant, public cloud infrastructures, those companies need to ensure that their cloud vendors have additional controls for protecting their data.  According to the Supplement, the challenges involved in protecting PCI data in a multi-tenant environment, "may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner." "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."

On June 27, 2011, the Practicing Law Institute will be offering a one day seminar devoted to Cloud Computing in San Francisco.  The seminar will also be webcast and accessible at any location.  Baker Hostetler partner Peter Brown is the Co-Chair of the program.  He will also be part of a panel discussion on "Cloud Vender Agreements: Key Considerations."  In addition, Baker Hostetler partner Fernando Bohorquez will be presenting on the subject of  "Cloud E-Discovery: It Just Isn't So Clear."  Further information about this PLI program can be found at www.pli.edu/Content

The National Institute of Standards and Technology (NIST) recently revised its definition of cloud computing:

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models."

Another recent background resource is the “Cloud Computing: Architectural and Policy Implications” paper released by the Technology Policy Institute, which was written by Professor Christopher S. Yoo.  The paper discusses the technical resources used in cloud computing, starting with an explanation of “Key Cloud Computing Concepts,” including “virtualization.” [The NIST also just released the final version of its Guide to Security for Full Virtualization Technologies]  Other topics include the economics of cloud computing, as well as architectural implications for access networking and data center interconnectivity.  The paper concludes with a discussion of industry impact and regulatory implications. 

On the same day the NIST released its newly revised definition of cloud computing, it also released its first privacy and security guidelines.  “The key guidelines recommended to federal departments and agencies, and applicable to the private sector, include:

• Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
• Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
• Ensure that the client-side computing environment meets organization security and privacy requirements for cloud computing.
• Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments."