Archive for the ‘Cloud Computing’ category

“The cloud”, just another word for outsourcing IT?

September 21, 2010

The question came up at a recent Annual Executive Retreat of how to conduct a risk assessment of a cloud vendor. One CISO in attendance suggested that “the cloud” is just a trendy term for outsourced computing, and that the risk assessment process is the same as it always has been. Other CISOs like to recall the term time-sharing to point out that everything old is new again.

However much this is part of a cyclical pattern, there are new aspects to the cloud that present new challenges to Security organizations:

  1. Governance. Purchasing decisions are much harder to detect. A credit card and they’re up and running. Members tell us much of this seems to be happening in the Sales and Marketing functions, and cite this as the number one risk of the cloud (see figure below). These are so easy to set up that those who initiate the relationship may not so much think they are going around IT, they are just doing what people do naturally these days-getting stuff done on the web. This creates new problems for Security:
    • How can you detect these transactions?
    • Is it possible to create a policy that defines what is OK and what is not, or do all projects need to go through a security review?
    • If you did create a policy, what are the carrots, sticks, and awareness needed to make it work?
  2. Requiring controls. With larger SaaS and IaaS vendors, there is little transparency into their controls, and the vendor will not change their security as a condition of your contract: the key to their cost efficiency is standardization and low transaction costs. Also, the vendors will rarely sign up for indemnification for when something goes wrong. IREC members are used to having the size to get their way with third parties, but the big cloud vendors aren’t that eager for each new small cloud contract. The balance of power has shifted.
  3. Regulations. Unlike outsourced computing in the past, in many cases with the current SaaS offerings you do not know the geographic location of the data/servers. This can be a regulatory problem, for example:
  4. Vendor selection. There are a lot of apparently small SaaS and IaaS vendors out there, but many are just resellers of services from big providers like Amazon. What accountability and visibility have you sold to the intermediary for a lower cost?

The economics and agility provided by these services are unstoppable, so CISOs must create ways to manage the associated risks. First, CISOs need to understand the business side’s desire to use SaaS offerings and then use an understanding of the organization’s risk tolerance to decide what Security’s posture will be. Specific solutions we have heard about include:

  • Offsetting desire for IaaS by building internal, private clouds, often using existing unused capacity.
  • Creating clear definitions of data or processes that cannot be transferred to a third party without a security review. Ideally the restrictions are minimal, including only regulated data or crown jewels rather than all somewhat sensitive data, which can result in driving activity underground.
  • Providing a list of approved vendors and a “getting started” guide to direct business users to safer cloud services. These guides should encourage submission of new vendors to ensure the lists continue to address user needs and keep Security aware of new cloud players.

What steps have you taken to address the specific risks of the cloud? Let us know.


The Future of Corporate IT: 5 Radical Shifts in IT Value, Ownership and Role

May 4, 2010

We here at IREC are part of the IT Practice of the Corporate Executive Board. The IT Practice has just released what is probably the most important research we have done in years: The Future of Corporate IT.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.


Checklists will not increase your Cloud Computing Security

April 6, 2010

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook

IT is changing..Again?

February 8, 2010

In the past few years IT organizations have seen multiple organizational transformations: some have centralized and others have decentralized. So when I heard a senior researcher talk about another transformative organizational change, I had the usual reaction of “yawn” followed by healthy skepticism. What got my attention though were the following three trends and potential implications for CISOs:

1) Business units will bypass IT to directly buy both devices and software. We have already seen examples of these in the social media space where human resources used facebook for recruiting and sales organizations bought 500 salesforce licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they loose their traditional listening posts from inside centralized IT and ability to provide prevent risky technology and software from entering the corporate IT infrastructure.

Some CISOs already have lists of approved consumer devices but they should also start including SaaS type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.

Gamma’s Third Party Assessment Questionnaire
Teleconference on Network Access Control Implementation

2) Data will become more critical than business processes. Rather than providing automation IT organizations will be tasked with providing information and value will be added by linking multiple different sources: from legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that the same data could also be combined to reveal individual identity i.e. “date of birth”, zip code, and gender could help you uniquely identify a person.

Risk assessments that currently only focus on applications or even business process will need to be updated to include data and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification guides will also become more critical.

DuPont company’s data focused risk assessment

3) IT is embedded in a newly created business services organization. Rather than IT offering end user computing, a new business services organization will be created consisting of corporate functions like Finance, HR, and IT that will offer business service titled “ New Employee Hiring” that includes the human resources (interviewing, hiring, orientation, background…) , information technology (identity management, provisioning, laptop…), and Finance (payroll, bonus….). These are the units of services that business will order rather than the individual components. This calls for high degree of integration between information security both at the IT level and at business level.

This trend while causing angst around org structure and governance may actually help CISOs by providing cross functional perspective on risk. The downside is that IT risks may not receive the same weight and therefore the resources when compared some of the other risks in the enterprise.

Top 10 Enterprise Risks

The Increasing Maturity of Cloud Computing Security

January 4, 2010

We wrote a few weeks ago about a few good guides for thinking about security in the cloud. In that post we mentioned the Cloud Security Alliance. Now they have just released version 2.1 of their guide to security in the cloud.

The Guide is rather lengthy and still has areas in need of improvement, but it is a valuable document that makes great strides over the previous version and signals that as a field we are close to establishing a mature and systematic approach to cloud computing security.

The Guide includes an excellent overview of “the cloud”, clearly describing how to break it down into different service models and different deployment models. At this point it seems we are close to achieving one of the critical steps for cloud security maturity: a consistent and meaningful terminology and taxonomy of activities.

The Guide’s core is 13 domains (areas of focus) that must be attended to regarding cloud security. The list of domains itself is a useful high-level checklist, and the Guide includes for each domain both useful background information and points of security that need to be addressed.

If a criticism is to be made, it seems that each domain is written by a different set of contributors, and unfortunately it shows. The domains vary in style, content, and approach. For example, when treating security guidance, in some cases specific guidance is given, while in other cases the domains are much more generally written. Also, the terminology and organization of domains could be improved. Hopefully the next version will build on the excellent start they have already made, and streamline and organize the document into a concise set of high-level guidance supplemented with detailed specific guidance in an appendix or companion document.

Quite a few IREC members helped contribute to the Guide, and we congratulate them on the way it is progressing.

Assessing the risk of cloud computing

November 24, 2009

The European Network and Information Security Agency (ENISA) has a new report out:  “Cloud Computing: Benefits, risks, and recommendations for information security”. This report does  a good job of laying out definitions of “the cloud”, including breaking it down into more meaningful services (SaaS, PaaS, and IaaS), and walking through how to think about the risks rather than just whipping up a bunch of horror stories.  Some of the nice attributes of the study include:

  • identification of the top risks of cloud computing in general
  • clear, detailed walk through of the risk assessment process that an organization should follow to assess its own risks, with several examples
  • balances consideration of the risk of not using the cloud

The study is also notable as a good example of how to perform and present an ISO 27005 risk assessment.

A few other good resources for thinking about the risk of cloud computing: