Interesting cloud security points from the Cloud Computing World Forum
Wednesday, June 30, 2010 at 11:23AM
I've been attending the Cloud Computing World Forum in London this week and I enjoyed the Cloud Security session yesterday afternoon. Two points specifically stood out:
Firstly, Jason Hart, SVP Europe for CRYPTOCard pointed out that too many cloud services rely on a weak method of authentication - passwords. Cloud service providers need to up their game and implement stronger authentication mechanisms.
Then during the panel session, the topic of whether 'the cloud' had inherent security weaknesses came up. The conclusion drawn was that "the cloud doesn't have a security problem, it has a trust problem".
This is a topic that is close to my heart as I believe companies are taking a totally different approach to the due diligence of cloud services providers which is often unrealistic. I've stressed over-and-over that due diligence is a critical part of selecting the right cloud services provider but the due diligence framework has to be realistic and based on fact.
Organisations wanting to move from an in-house solution to one that is cloud-based need to baseline their security against what they are doing at the moment, and what they need to protect the particular data in question. I've had more than one 40 page security due diligence questionaire that they've downloaded from the Internet from a 100 seat organisation, who themselves have their entire email infrastructure in a comms room in a single office, with an Exchange administrator who has never been backgrouded screen and have never performed a penetration test.
The entire discipline of information security revolves around working out which data is sensitive and critical to the business; assessing risk exposure to that data; doing a gap analysis to work out whether you're handling the risk accordingly at present; assessing controls for the areas you're not handling sufficiently well on a cost/benefit analysis basis; then deploying the controls; and managing them on an ongoing basis.
During the conference Klaus Bartosch, the EVP of Sales and Marketing for Virtual Ark, made a good case for a due diligence methodology involving these steps for cloud service providers which mimics the approach above - the title of his presentation?: "Cloud security isn't bad - it's just different". After listening to his presentation I'd say, it isn't different, it needs the same risk assessment approach that the information security community has built up over decades - the difference is instead of deploying the controls, you make it a mandatory requirement that the service provider implements them. If they don't move to the next provider, its a competitive market out there.
The critical thing is to remember that the level of protection needs to be proportionate to the sensitivity and criticality of the data involved. More often than not organisations achieve a better level of protection for their data by moving to a cloud service, they are just nervous because they cannot physically walk into a server farm and touch the storage arrays containing the data any more.
Appropriate due diligence cannot be based on irrational fears and prejudices, it has to be based on fact.
Firstly, Jason Hart, SVP Europe for CRYPTOCard pointed out that too many cloud services rely on a weak method of authentication - passwords. Cloud service providers need to up their game and implement stronger authentication mechanisms.
Then during the panel session, the topic of whether 'the cloud' had inherent security weaknesses came up. The conclusion drawn was that "the cloud doesn't have a security problem, it has a trust problem".
This is a topic that is close to my heart as I believe companies are taking a totally different approach to the due diligence of cloud services providers which is often unrealistic. I've stressed over-and-over that due diligence is a critical part of selecting the right cloud services provider but the due diligence framework has to be realistic and based on fact.
Organisations wanting to move from an in-house solution to one that is cloud-based need to baseline their security against what they are doing at the moment, and what they need to protect the particular data in question. I've had more than one 40 page security due diligence questionaire that they've downloaded from the Internet from a 100 seat organisation, who themselves have their entire email infrastructure in a comms room in a single office, with an Exchange administrator who has never been backgrouded screen and have never performed a penetration test.
The entire discipline of information security revolves around working out which data is sensitive and critical to the business; assessing risk exposure to that data; doing a gap analysis to work out whether you're handling the risk accordingly at present; assessing controls for the areas you're not handling sufficiently well on a cost/benefit analysis basis; then deploying the controls; and managing them on an ongoing basis.
During the conference Klaus Bartosch, the EVP of Sales and Marketing for Virtual Ark, made a good case for a due diligence methodology involving these steps for cloud service providers which mimics the approach above - the title of his presentation?: "Cloud security isn't bad - it's just different". After listening to his presentation I'd say, it isn't different, it needs the same risk assessment approach that the information security community has built up over decades - the difference is instead of deploying the controls, you make it a mandatory requirement that the service provider implements them. If they don't move to the next provider, its a competitive market out there.
The critical thing is to remember that the level of protection needs to be proportionate to the sensitivity and criticality of the data involved. More often than not organisations achieve a better level of protection for their data by moving to a cloud service, they are just nervous because they cannot physically walk into a server farm and touch the storage arrays containing the data any more.
Appropriate due diligence cannot be based on irrational fears and prejudices, it has to be based on fact.
Reader Comments