Archive for November 2009

Assessing the risk of cloud computing

November 24, 2009

The European Network and Information Security Agency (ENISA) has a new report out:  “Cloud Computing: Benefits, risks, and recommendations for information security”. This report does  a good job of laying out definitions of “the cloud”, including breaking it down into more meaningful services (SaaS, PaaS, and IaaS), and walking through how to think about the risks rather than just whipping up a bunch of horror stories.  Some of the nice attributes of the study include:

  • identification of the top risks of cloud computing in general
  • clear, detailed walk through of the risk assessment process that an organization should follow to assess its own risks, with several examples
  • balances consideration of the risk of not using the cloud

The study is also notable as a good example of how to perform and present an ISO 27005 risk assessment.

A few other good resources for thinking about the risk of cloud computing:


How much access control technology is enough?

November 5, 2009

I recently attended a meeting with a group of leading CIOs of U.S. Federal Government agencies, all of whom are working to meet a presidential mandate (HSPD 12) to integrate high-tech Personal Identity Verification cards into their access control systems.  Some level of activity is of course required for compliance—there’s a “just do it” attitude that has to apply in some way. The more surprising conversation for me was a mentality that would be familiar to anyone who has ever remodeled a house: “while we’re in there, let’s also fix that…”. These CIOs were very interested to know how much effort to improve access control beyond mere compliance is worthwhile from a cost/benefit perspective.

IREC’s research efforts on access management and assessing the relative value of control investments shed some light on the question of how much technology is enough.