Checklists will not increase your Cloud Computing Security

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook

Advertisements
Explore posts in the same categories: Cloud Computing, Third-party risk

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: