| In the IT business, one frequently see businesses | | | | and to where? How long are backups maintained? |
| and government entities fielding contracts to | | | | What is the procedure and timeframe for gaining |
| provide wireless capabilities for their facilities and | | | | access to backups? |
| personnel. As a security professional, the first | | | | Is the vendor, and the storage site(s), controlling |
| question is always: "Why?" experience has shown | | | | the data in compliance with applicable laws, |
| that, businesses and government agencies tend to | | | | regulations, governance, and best practices? Have |
| undervalue the sensitivity of their data-even their | | | | they been cited or had unacceptable incidences in |
| mundane, everyday data. They also tend to | | | | the past? What are the Terms of Service, |
| underestimate the vulnerabilities introduced by | | | | contractually? What is the fine print, and what |
| wireless connections points, even if secured, and | | | | information is missing entirely regarding vendor |
| their potential risk to expensive systems and | | | | responsibility and liability for data stewardship, loss, |
| business operations. | | | | and compromise? |
| Recently, there has been a virtual explosion in the | | | | The answers to these questions, along with |
| use of Cloud Computing to decrease security | | | | others particular to an individual situation, will define |
| costs and increase accessibility to data. Once | | | | the level of trust required in a relationship with a |
| again, businesses and government entities are | | | | potential vendor. |
| jumping on the bandwagon to place volume upon | | | | Evaluating Risk in Establishing Cost vs. Benefit |
| volume of proprietary and potentially sensitive | | | | Once potential vendors' offerings are understood, |
| data into the great wide open of "The Cloud." In | | | | there are a few industry-standard security topics |
| this process, data owners are yielding broad | | | | to consider in establishing the level of risk involved |
| powers of control over their data to external | | | | in outsourcing data and capabilities. Once the risk is |
| service providers for which an appropriate trust | | | | quantified, the cost of moving to the cloud can be |
| relationship may not be fully established, nor | | | | considered not only in terms of monthly savings, |
| understood. Once again, I the basic question is, | | | | but also in terms of expected fiscal expense over |
| "Why?" | | | | time due to loss or compromise of data or |
| The Attraction of Cloud Computing | | | | capabilities. These macro-security topics are: |
| Cloud Computing utilizes internet web services | | | | Confidentiality: What is the potential for disclosure |
| from external vendors to provide companies an | | | | of data with each vendor, and what degree of |
| attractively-priced and scalable means to | | | | damage would be experienced to revenue, |
| outsource infrastructure, software, and even | | | | ongoing or future business efforts, company |
| technical expertise. The vendor provides these | | | | image, operations, or security if data were |
| services en-masse, leveraging the efficiencies | | | | disclosed inappropriately? |
| inherent in economies of scale to provide IT | | | | Integrity: What is the potential for data corruption |
| capabilities that would be more expensive, or | | | | or loss with each vendor, and the degree of |
| even prohibitive, to build and maintain | | | | damage (per above) if data were corrupted or |
| independently. | | | | lost? |
| A company or government agency of virtually | | | | Availability: What is the speed of data access and |
| any size can invariably find some aspect of their | | | | degree of system reliability for each vendor? |
| operation, or even a total solution, that would | | | | What is their system availability rate; and how will |
| realize reduced financial costs in moving internal | | | | change management procedures, system |
| systems and capabilities into the Cloud. In fact, | | | | upgrades, and potential disasters affect |
| ventures with limited or non-existent internal | | | | accessibility to data or capabilities? |
| information security resources to begin with may | | | | Accountability: What is the detection and forensic |
| greatly improve their security posture simply by | | | | capability for each vendor if data is lost or stolen? |
| making the move. | | | | Can unauthorized access, inappropriate disclosure, |
| It all sounds so new, wonderful, and exciting; and | | | | or loss be tracked so that potential damage can |
| to a certain extent it is. But even in an economy | | | | be prevented or mitigated? |
| dominated by the bottom line, it is easy to | | | | Choosing a Solution |
| overlook a simple truth: The real value of a piece | | | | In making a decision whether to utilize Cloud |
| of data to its owner cannot be fully captured by | | | | Computing, and to what degree, the primary |
| a dollar sign, alone. In fact, that data may be | | | | focus should be the criticality of the data and |
| priceless. | | | | capabilities in question. Considering all cost and risk |
| The Element of Trust | | | | factors, internal secured data systems may offer |
| Often times, the true value of a piece of data is | | | | higher value for critical data than entrusting an |
| not realized until it is compromised. We work with | | | | outside party with its control. |
| volumes of data every day, and it is easy to | | | | While service providers and various consortiums |
| take it for granted. It is also easy to take | | | | are beginning to address some of the security |
| commercial services for granted. So, let the buyer | | | | concerns inherent in Cloud Computing, uniform |
| beware: When considering outsourcing resources | | | | legal and industry standards are still many years |
| into the Cloud, it is imperative to understand the | | | | off. Furthermore, security comes with a price: |
| value of data and capabilities being entrusted to | | | | Higher degrees of security and performance than |
| the vendor, as well as the nature of the trust | | | | what is currently the norm will necessarily reduce |
| relationship-with both the vendor and their | | | | the margin of savings and the overall value to |
| third-party business partners! After all, you may | | | | business. |
| be giving them the keys to the kingdom. As a | | | | When the decision is made to utilize Cloud |
| starting point, some simple questions to consider | | | | Computing resources, consider the following as |
| should be: | | | | "must-haves" in choosing a vendor: |
| Where will the data be located, both physically and | | | | 1. Demand openness from the vendor on |
| logically? Different states within the U.S., and | | | | security-relevant details of their employees, |
| certainly different countries, have widely varying | | | | systems, and operations. |
| laws regarding second-party responsibility-and | | | | 2. Ensure control is not lost for access to |
| liability-for handling of data. | | | | sensitive information: Protect proprietary and |
| Ironically, the U.S. has come under scrutiny from | | | | intellectual property, privacy information of |
| other countries due to the post-9/11 ease with | | | | employees and customers, as well as financial |
| which the federal government can gain access to | | | | data. |
| foreign data. Logically speaking, is the data stored | | | | 3. Ensure applicable laws and governance |
| on single or multiple servers? Does it share space | | | | mandates are not violated by your use of a |
| with data from other sources? Is it housed at | | | | vendor, nor by the vendor's practices in handling |
| one site or multiple, geographically separate sites? | | | | your data (for example: FISMA, HIPAA, |
| Who will have access to the data, and how are | | | | Sarbanes-Oxley...). |
| they vetted and monitored? How does one | | | | 4. Ensure that the criticality of the data, and your |
| control and gain access to your own Cloud data? | | | | liability for it, is not such that loss or release could |
| How are vendor employees, contractors, and | | | | severely damage or destroy yourself or others. |
| third parties restricted and monitored with regards | | | | Virtual and "Cloud" computing are popular |
| to access to your data? What security policies | | | | concepts in the search to better manage data |
| are in place? | | | | storage and improve computing efficiency. But |
| How will the data be secured on the server, and | | | | there is real and potential risk associated with |
| how is it backed up and/or replicated? Is the data | | | | these new concepts. |
| encrypted on the server and/or in transit? How | | | | As a result care and planning is required to avoid |
| will encryption (or lack thereof) affect | | | | the negative impact of a security breach. |
| performance? How often is the data replicated, | | | | |