Tag Archives: security

Where Are My Bits?

Leave a reply

NO DOUBT ABOUT IT – there is a sea change happening as individuals and companies slowly grasp the upside of cloud computing. But I still get challenged at conferences: “What about the security risk? I have to know that my bits are safe. How do I know these service providers are not going to mine my data and exploit all my information?”

The short answer is that you don’t – no one does. But then again – where are my bits, and where are your bits? In general, we don’t have a clue. Everything from our banking details, passport, national insurance, tax, medical records are stored somewhere, but we don’t know where. And do we care? We don’t give it a thought. Perhaps we should – bankers have proven to be less than honest and many of our institutions seem to excel in losing memory sticks, hard drives and laptops with our private info.

My worst nightmare is that the companies and institutions storing my data have been foolish enough to assign it to one drive, drive set, rack or floor in a single physical location. If they have, they are naive in the extreme, and are putting me at risk along with everyone else.

Perhaps the most paranoid objection voiced goes like this: “I don’t want anyone else’s data on my hard drive.” Such a strong sentiment reflects a lack of understanding that is really worrisome, especially when some of the protagonists are employed in IT departments.

Personally, I hope my bits are mixed in with thousands of others and spread all over the planet on multiple drives backed up in multiple locations. Such a scenario is more secure, and it can be rendered extreme by variable encryption. How come? If someone steals a file, and manages to crack the layered encryption, that person will only have partial documents.

The best the thieves can hope for is a mere glimpse of the full picture. To get to the real meat, they need the context, which is spread across an impossibly large number of drives and locations. This may be an impossible nut to crack with today’s technology.

Like it or not, cloud computing is not going away anytime soon. It is going to grow, and as it does, it will become increasingly secure. Our data will become safer, and all the more so as it becomes more dispersed. And yet, I hear sensible people demanding that their in-house data has to be held on a company server, in a company building, on company soil, always to be under the company eye and control.

Why do people think this way? Perhaps it is just habit, or more about the illusion of control. Such thinking is delusional – none of us can control our own data, let alone that of our companies. The internet, servers and service providers are leaky buckets with data seeping out and in. The good news is that it is unpredictable and difficult to read. The real problem is one of trust and reputation. Who do you trust? Your bank, ISP, Google, HP, Apple or IBM ?

You might want to contemplate running with several providers simultaneously – that way, you can control some of the dispersement and add another layer of security. Reliability, resilience and security seldom come cheap but it is vital to spread data across the internet in a parsed format. But do we do it ourselves, or do we let others do it for us? I prefer the latter course, through a trusted intermediary.

To me, this is no different to keeping money under my mattress, using a bank, or carrying cash. It all about resource management and using service industries that organise bits on our behalf while saving us time and money.

Paradoxically, the last people to figure all this out might be those CIOs and IT departments stuck in business and operating modes cast in the 1960s. The cloud is coming and there are great advantages to be had – but we have to accept the challenge of change.

Author: Peter Cochrane
Source

Secure Your Virtual Environment

Leave a reply

Security exists to protect the tangible things in life. If something is deemed special enough to be protected, we do so with highly visible declarations of security. Deadbolts on doors are large and comforting; alarm systems used to protect buildings are there for all to see; seatbelts in cars tell the world that we are taking our safety seriously.

While protecting homes and possessions is simple human behaviour, there are important aspects of day-to-day life which sadly go unprotected – especially in business. This is down in part to the rapid technological revolution that businesses have been privy to over the past few decades.

Fifty years ago important documents could simply be kept under lock and key in a secure file room – but in this decade of technological advancement, important documents no longer exist in their paper form alone.

Emails, computers and IT systems became commonplace in a very short amount of time, leaving storage and security struggling to keep pace. Inevitably, as the volume of this data grew, space became an issue.

This is where virtualization really came to the fore. Virtual storage allows companies to store far greater volumes of information without investing in expensive, space-sapping servers. It appeared to offer the perfect solution, and prompted a boom in popularity.

Indeed, a study by leading analyst Gartner charts the rise and rise of virtualization, predicting that approximately half of all x86 architecture server workloads will be virtualized by the end of 2012.

But while virtualization has grown in popularity, securing virtual environments has lagged behind. While companies have been fast to virtualize, they have been slow to secure and, contrary to popular belief, this is not down to a lack of threat.

Security threats in the virtual space – particularly from malware – are greater than ever before.

There is a common perception that virtual machines are more secure than physical ones, but this is little more than a myth. In fact, virtual systems are just as vulnerable to malware in the form of malicious email attachments, drive-by-downloads, botnet Trojans and even targeted ‘spear-fishing’ attacks.

The same Gartner study found that in 2012, two thirds of virtualized servers will be less secure than the physical servers they replace. This is even more disconcerting when Kaspersky’s own Global Virtualisation B2B study also found that 81 per cent per cent of services launched in virtual environments are business critical.

Sadly, many businesses are guilty of undercutting the inherent benefits of virtualization when they fail to properly implement anti-malware solutions to protect from data loss and cybercrime. Technology has revolutionised business, but it is only possible to reap the rewards if sensitive data is adequately secured and protected.

Choosing the right type of virtualization security is almost as important as deciding to secure your virtual environment in the first place. For starters, it’s a fact that some anti-virus implementations can bog down the virtual infrastructure, reducing consolidation ratios and limiting ROI.

According to the Kaspersky Lab study, 61 per cent of IT professionals cite performance as the most important factor when assessing the effectiveness of virtualization security, so choosing a programme which allows for the smooth running of IT systems is imperative.

Information is like oxygen to a business, so all possible measures should be taken in order to protect it. As well as the risk of theft and public embarrassment, leaving virtual servers unsecured opens your business up to the possibility of a serious and costly data breach.

Investing in virtualization security is business common sense, but it should not be undertaken lightly. Extensive research into your business’ requirements, as well as a thorough assessment of the products on offer, is undoubtedly time well spent. An element of education is also advisable, especially given that Kaspersky Lab found that 41 per cent of IT staff rate their knowledge of virtual environments as ‘basic’.

Virtual environments may not be tangible, but this is not to say that they do not require adequate security and protection. Putting the locks and bolts onto your virtual servers is just as easy as fastening a seatbelt, providing you have the necessary expertise in your armoury.

Author: Peter Beardmore
Source

Public Sector Behind the Cloud Curve

Leave a reply

Cloud computing has become mainstream in 2012 for providing IT facilities, but the public sector is slower to move into the cloud than private companies.

Cisco commissioned independent research amongst IT decision makers, in enterprises with more than 1,000 employees across a broad range of vertical sectors including government. The results clearly show that cloud has moved from hype to reality, with cloud now seen as a mainstream element of IT strategy.

Cloud computing, which allows oganisations to share resources, software and applications, has the potential to bring radical change to public sector ICT services. Using the cloud reduces costs and risks and brings scalability, and resilience.

The report finds IT decision makers within government are increasingly placing applications and services from across their business into the cloud and planning a 46 per cent increase by 2014. But only 24 per cent of government IT decision makers consider cloud as being critical and underpinning much of the organisations’ activity.This compares with 31 per cent in the private sector.

The message that cloud can deliver significant cost reduction is now resonating with the IT community and cost saving has become a top driver for adopting cloud. In CloudWatch 2011, reducing cost ranked fifth in a list of most important things when considering cloud, but in 2012 it ranks as the number one priority.

Security still remains the number one concern when putting services and applications in the cloud. But that concern is noticeably less pronounced than in last year’s report and the use of public cloud is up 11 per cent, although private cloud still dominates.

Ian Foddering, Chief Technology Officer and Technical Director, Cisco UK and Ireland said: “This new report validates a shift that many of us in the IT industry have been witnessing first hand over the last 6-12 months. Cloud usage has now gone mainstream. After several years of ‘hype’ across the IT industry, it now seems that cloud is maturing and organisations across a broad range of sectors are realising the benefits of moving to a cloud model.”

Cloud computing has become mainstream in 2012 for providing IT facilities, but the public sector is slower to move into the cloud than private companies.

Cisco commissioned independent research amongst IT decision makers,in enterprises with more than 1,000 employees across a broad range of vertical sectors including government. The results clearly show that cloud has moved from hype to reality, with cloud now seen as a mainstream element of IT strategy.

Cloud computing, which allows oganisations to share resources, software and applications, has the potential to bring radical change to public sector ICT services. Using the cloud reduces costs and risks and brings scalability, and resilience.

The report finds IT decision makers within government are increasingly placing applications and services from across their business into the cloud and planning a 46 per cent increase by 2014. But only 24 per cent of government IT decision makers consider cloud as being critical and underpinning much of the organisations’ activity.
This compared with 31 per cent in the private sector.

The message that cloud can deliver significant cost reduction is now resonating with the IT community and cost saving has become a top driver for adopting cloud. In CloudWatch 2011, reducing cost ranked fifth in a list of most important things when considering cloud, but in 2012 it ranks as the number one priority.

Security still remains the number one concern when putting services and applications in the cloud. But that concern is noticeably less pronounced than in last year’s report and the use of public cloud is up 11 per cent, although private cloud still dominates.

Ian Foddering, Chief Technology Officer and Technical Director, Cisco UK and Ireland said: “This new report validates a shift that many of us in the IT industry have been witnessing first hand over the last 6-12 months. Cloud usage has now gone mainstream. After several years of ‘hype’ across the IT industry, it now seems that cloud is maturing and organisations across a broad range of sectors are realising the benefits of moving to a cloud model.”

Cloud computing has become mainstream in 2012 for providing IT facilities, but the public sector is slower to move into the cloud than private companies.

Cisco commissioned independent research amongst IT decision makers,in enterprises with more than 1,000 employees across a broad range of vertical sectors including government. The results clearly show that cloud has moved from hype to reality, with cloud now seen as a mainstream element of IT strategy.

Cloud computing, which allows oganisations to share resources, software and applications, has the potential to bring radical change to public sector ICT services. Using the cloud reduces costs and risks and brings scalability, and resilience.

The report finds IT decision makers within government are increasingly placing applications and services from across their business into the cloud and planning a 46 per cent increase by 2014. But only 24 per cent of government IT decision makers consider cloud as being critical and underpinning much of the organisations’ activity.
This compared with 31 per cent in the private sector.

The message that cloud can deliver significant cost reduction is now resonating with the IT community and cost saving has become a top driver for adopting cloud. In CloudWatch 2011, reducing cost ranked fifth in a list of most important things when considering cloud, but in 2012 it ranks as the number one priority.

Security still remains the number one concern when putting services and applications in the cloud. But that concern is noticeably less pronounced than in last year’s report and the use of public cloud is up 11 per cent, although private cloud still dominates.

Ian Foddering, Chief Technology Officer and Technical Director, Cisco UK and Ireland said: “This new report validates a shift that many of us in the IT industry have been witnessing first hand over the last 6-12 months. Cloud usage has now gone mainstream. After several years of ‘hype’ across the IT industry, it now seems that cloud is maturing and organisations across a broad range of sectors are realising the benefits of moving to a cloud model.”

Source

Cloud Adoption Increases Security for SMBs

Leave a reply

Small and medium businesses have a lot to gain through adopting cloud computing, a recent research from comScore – sponsored by Microsoft – shows.

Not only would these companies benefit from important time and money savings when adopting the cloud, but they also see increased security levels, the aforementioned research shows.

According to the survey, which was conducted among both cloud and non-cloud SMBs in the U.S., India, Hong Kong, Malaysia and Singapore, most businesses who chose to make the move to the cloud consider it a great step in their evolution.

The study shows that SMBs are increasingly more confident on the benefits of cloud computing after adoption, and that twenty percent of companies spend less on security, while only 4 percent of non-cloud businesses suggest the same

Forty-one percent of cloud users considered the service provider as being entirely responsible for the security of their information, which suggests both the level of confidence in such services and that they need to be educated on their responsibilities on the area.

Fifty-seven percent of surveyed companies said that they felt that responsibility was shared with their cloud provider.

This also means that companies that offer cloud services have to ensure that their software is constantly updated so that they can meet the latest requirements in terms of security and reliability.

Richard Saunders, director, Trustworthy Computing, explained to Softpedia in a phone briefing that Microsoft is focused on improving the security of their cloud products.

Every second Tuesday, the Redmond-based giant releases security updates to users, in a process that also makes security updates delivery more predictable and transparent.

Microsoft is one of the main players in the provision of cloud services, with an offering that includes products such as Windows Azure, Windows Intune, Office 365 or Dynamics CRM, available for all customers interested in benefiting from public cloud capabilities.

Moreover, the software giant offers private cloud products as well, including Windows Server, SQL Server, Microsoft Exchange, Lync, SharePoint and the like, all of which are being periodically updated with patches for discovered vulnerabilities and with new features.

Of course, this does not mean that all targeted companies install these updates, due to a variety of reasons, including the costs and the lack of expertise to adjust the business to these updates.

Other findings of the survey also include:

  • Forty-five percent said it was easier to integrate systems.
  • Thirty-eight percent said they spent less time managing security.
  • Thirty-four percent were more confident in their company’s regulatory compliance.
  • Forty-two percent said the cloud made it easier for them to scale their business to explore new markets.
  • Forty-one percent said they were able to employ more staff in roles that directly benefit sales or growth.
  • Thirty-nine percent said they were able to invest in product development or innovation.
  • Thirty-seven percent felt that they benefited from improved agility and competitiveness.
  • Under Impacts, improved security and agility/competitiveness and better scalability are benefits perceived by cloud users.

All in all, it seems that cloud computing is indeed helping SMBs become more competitive and enjoy important savings and increased security levels.

However, not all of them consider the cloud as reliable. Those who haven’t adopted it yet are worried of transparency and identity security say that industry standards for cloud security would help them reconsider their position on the matter.

Non-cloud users are also concerned about security (40 percent) and the cost of transitioning (33 percent) to a new business model, yet the research shows that, in fact, they have nothing to fear on this.

However, Richard Saunders also notes that businesses need to make their own decision when it comes to cloud computing, but that they also need to make informed decisions, and that Microsoft is one of the companies focused on ensuring that this indeed happens.

Author: Ionut Arghire
Source

Wish Upon A Cloud

Leave a reply

It seems that every networking event this year, every tech magazine issue, and every vendor worth its salt is talking about “the cloud.” The cloud, in one of its many forms – public, private, or mixed – has become ubiquitous! I’ll confess: I started off my cloud gazing with little interest and several doubts, but I’ve learned a lot over the past year about the potential benefits of obtaining software, platform, and infrastructure as cloud services. I’m not quite ready to “drink the kool aid” yet, but it’s starting to look pretty tasty. Still, I have five wishes that need to be granted before I can consider a major move into the cloud.

Wish #1: Service Comparable to What I Provide Now.
When our CEO says jump, well . . . you get the picture. As CIO, I have to provide the level of service that our senior management and board expect from the IT team. So, how do I create SLAs that really ensure that a cloud provider will meet these demanding standards? When a cloud provider doesn’t meet the SLA, the reimbursement is generally a partial rebate of the provider’s fee. When the internal IT staff doesn’t meet the SLA, the “price” can be much higher. So, for example, if I want to have “bursting” support for high levels of availability at peak times, how do I know I can rely on the cloud to provide it? If my cloud provider doesn’t provide the support for the load at the time I need it, I will be compensated with a portion of my hosting fee, whereas if the internal IT team were to fail in this example, we’d be accountable for the lost revenue. That high internal price results in a great motivation to deliver service. Then there are the service issues that are, frankly, out of the control of most cloud providers. The last mile connectivity from premises to data center can be fraught with latency. When users are accustomed to running heavy applications over a private network, accessing them over commodity Internet lines can really impact their perception of system performance.

Wish #2:The Ability to Customize.
We’re all unique, right? Every organization has its – dare I say? – “secret sauce” – the customized software applications and systems that are a major part of the value we bring to our customers. Being able to establish and support a custom implementation in the cloud is still a challenge. For example, we are implementing Microsoft Dynamics CRM. But we need a special search capability that has to be either developed or added as a bolted-on application from a third-party provider. We need such ability to customize standard applications in order to make them effective for us, and that means in the cloud as well as on premises. I’d like to have applications delivered for us to customize and then be maintained in the cloud.

Wish #3: High Security.
Our data is an “attractive nuisance” – people are interested in it because we have personal information on very public figures. Controlling access to that data is critical. No matter what security promises are in our agreement with a cloud provide, and regardless of the amount of SAS 70-2 control in place, we will be loathe to release control over our member data to an outside firm. Although security can be a selling point for Microsoft’s products, abdicating our control over this information poses a significant risk that must be addressed. In addition, the cloud providers I have investigated do not encrypt data in motion or at rest, requirements that have begun to crop up in data security and privacy legislation. Bottom line – I need to be able to affirmatively state that my cloud provider is better and more knowledgeable about data security than I am.

Wish #4: Easy Integration.
Not only are our systems highly customized, they are extensively integrated. I need an end-to-end integration of solutions; in particular, hybrid solutions that support only certain user groups and are integrated via web services with locally hosted options. I haven’t yet seen a hybrid solution that provides easy manageability between on-premises and hosted solutions. And I want to manage performance, access, and the like seamlessly, whether that data or application or user resides in the cloud or on premises. And by the way, which cloud? Just as there are many clouds in the sky, there are many cloud providers. Will information in Oracle On-Demand play easily with enterprise applications developed in Azure?

Wish #5: Clarification of Legal Issues.
Our data is part of our intellectual property. Access to that data creates a risk that it will be used in ways that negatively impact our organization. For example, we control access to determining who is eligible to work under a SAG contract. Providing access to work history data could enable other entities to try to make such decisions about our members. E-discovery is another big issue, both in terms of our own need to provide access to electronic assets as well as concerns about allowing inadvertent or unauthorized access to our data in the cloud. If a subpoena is served for access to our data, how will our cloud provider respond? Will we be notified of what data was delivered? Further, what is our obligation to report the remote storage of customer data? As laws surrounding electronic data continue to change, I want to be certain that I’m in compliance and that our organization continues to be served by operating in the cloud.

Despite the fact that my wishes aren’t yet a reality, I’ve decided it’s prudent to assess what steps we can take, and when, to avail ourselves of cloud computing’s potential to save on infrastructure costs and to increase computing capabilities. I’m looking forward to putting together my cloud computing roadmap, and I encourage other CIOs to create their own cloudy forecast.

Author: Erin Griffin
Source

The Drive To Public Clouds

Leave a reply

The farthest-reaching changes in the IT industry often occur when a single new development simultaneously responds to the needs of both consumers and business users. Perhaps the best-known example of this kind of wave was the original PC: office workers used PCs during the day for their business tasks and then used the machine when they got home to play games (and often vice versa). The Web was also adopted in equal measure by consumers and business users when it first broke into the mainstream, which was a key factor in its incredibly rapid rise. The same will happen with cloud computing, once the public cloud providers close the loop between business and consumer services.

In 2012, both consumers and large companies will step up their adoption of public clouds. From the standpoint of end users, public cloud computing will be seen as enabling greater mobility, gradually leading to “ubiquitous” computing in which they no longer have to be concerned about where their data is actually located. At the same time, the economics of public cloud computing will become sufficiently attractive to IT managers in enterprise environments that they will no longer be able to avoid considering it, at least for certain workloads. This kind of lockstep between consumers and business users will cause big changes across the IT industry.

Users who put their data in the cloud expect that they will be able to access the data on any device, from anyplace in the world. Because there is only one copy of the data (and hopefully a backup copy somewhere), users hope that they will no longer need to synchronize laptops with other devices like iPads and smartphones. In 2011, many consumers were subtly introduced to the convenience of cloud storage when Apple introduced automatic synching of data between iPhones, iPods, and other devices with its iCloud service (the capability was introduced transparently with an update of Apple’s iOS operating system). Since the iPad dominates the tablet market, and the iPhone is one of the most popular smartphone models, other tablet and smartphone providers will soon need to include similar capabilities to remain competitive. As a result, the huge base of consumers storing their music and photos in multitenant clouds will promote the acceptance of cloud storage from a theoretical capability to a real and useful service. The rise of cloud computing will eventually speed the convergence of “mobile” and “social” trends, in which data sharing between trusted parties will become the normal approach for exchanging information.

In datacenters, the economics of public cloud computing will become increasingly attractive to IT managers. Continuing concerns about potential security risks will prevent organizations from entrusting their most sensitive workloads to public clouds, but for many other workloads, the flexibility and potential cost benefits of cloud deployment will outweigh its risks. In 2012, the use of public clouds will go beyond early adopters and enter the mainstream for certain applications. As public clouds become part of standard IT operating procedures, some business issues with service providers will rise to the forefront. Customers will increasingly focus on issues such as service level agreements (SLAs) and portability between cloud services. Companies planning a cloud deployment will narrow their focus to providers who have the technical ability to deliver on SLAs and can provide security in the cloud. Vendor lock-in with cloud service providers will become a greater concern as customers grapple with the decision of whether to embrace proprietary solutions that deliver unique benefits, or more open solutions that may have limitations. Some cloud vendors will tout their relative openness and present vendor lock-in as a major reason customers should not buy from their competitors.

Throughout 2012, cloud services will become an increasingly big business as companies complete their trials and begin to roll out full-scale enterprise applications to the cloud. Amazon AWS will become the first billion-dollar cloud venture. Towards the end of 2012, the cloud business will begin to see a shakeout as larger, better-financed companies cherry-pick the best companies and push out the weaker start-ups. It will become much clearer by the end of the year which service providers can deliver for the long haul, and which can’t. On the user side, most deployments will be noneventful and successful, but some high-profile events will occur that highlight the problems that happen when cloud is not deployed correctly. To fully reap the benefits of cloud computing, IT workers will need to reassess their skills and go for training in new areas. In the meantime, companies that want to deploy a private cloud may have a difficult time finding IT workers with the right mix of skills to design, deploy, and manage a cloud.

Author: Tony Iams
Source

US Spy Agencies Look To Cloud Computing

1 Reply

US Director of National Intelligence James Clapper said cloud computing will play a major role as the nation’s spy agencies work to integrate computer and information systems to share more data securely.

Cloud computing has “huge potential for achieving savings and promoting integration,” Clapper told an audience last week at the Centre for Strategic and International Studies, a policy group in Washington.

Cloud computing lets users run programmes and store data over the internet. Along with it will come a requirement for security and privacy, especially as intelligence agencies work toward the “big idea” of a joint information-technology system, Clapper said.

“Over the next five years, I think we’ll make some serious and notable changes” in systems for labelling, tagging, monitoring and accounting for information shared across agencies, he said.

The 2010 WikiLeaks episode, in which hundreds of thousands of classified records and US State Dep-artment cables were made public, spurred the drive to improve security while ensuring agencies and personnel get the information they need to protect and defend the U.S.

Intelligence agencies are trying to devise a way of tagging and labelling data to separate more sensitive information about sources and methods used to collect intelligence from the substance that operatives, analysts and officials need. The aim is to allow better information-sharing among traditionally secretive and turf-sensitive agencies without jeopardising security.

Insider threat

The US also will spend more on auditing and monitoring its information systems to track use of data and prevent unauthorised access, Clapper said.

“We need to develop a national insider threat policy,” he said. Bradley Manning, a US Army private stationed in Iraq at the time, is charged in military proceedings with illegally passing the classified information published on by WikiLeaks in 2010.

President Barack Obama in October established a task force to develop a government-wide programme to detect and stop potential insider threats, when he issued an executive order outlining responsibilities of federal agencies for securing classified information on their computer networks.

Source

A Structured Approach To Cloud Security

2 Replies

The term “cloud” has been turned into a marketing platform by many suppliers and this has obscured what it really is – a way to procure and deliver IT services. The cloud covers a wide spectrum of services and delivery models. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through a cloud environment.

Cloud computing makes people uneasy. The perceived lack of ownership and control has a tendency to cause an almost instinctive sense of vulnerability, but Simon Salmon, CSA UK and Ireland Chapter member, questions if this is justified.

He says the answer depends on the circumstances, since cloud solutions can be as secure or insecure as any other IT implementation. Many of the issues an organisation should be considering regarding cloud computing relate equally to traditional IT implementations.

Understand the value of your data in the cloud

One pressing question surrounds what happens to a customer’s data when stored and/or processed in the cloud. Should things go wrong, what mechanisms are available for reporting issues and tracking them? Is the SLA acceptable for your business? Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management, urges chief information security officers (CISOs) to understand the type and value of the data your organisation wants to put into the cloud. So businesses need to consider whether the data is public, company internal, company sensitive or personal information (personal data includes employee National Insurance number, medical information, credit card or bank details).

Once you know what type and value of data you are dealing with, you can identify any regulations and/or industry rules that might apply, such as the Data Protection Act (personal data), Payment Card Industry (PCI, credit card information), says Wenham.

Knowing the value of data and the applicable rules and regulations leads to an understanding of what needs to be done to ensure compliance. From this understanding, the terms and conditions of various cloud-based services can be reviewed and informed decisions taken. For instance, if the cloud service provider is unable or unwilling to legally commit to keeping data at all times within the EU (or EU-acceptable safe harbour), then personal data should not be stored or processed in the cloud.

Evaluate the risk of cloud data-loss

CISOs must also evaluate a cloud provider’s guarantee that data cannot be lost, as data loss has happened in the past.

He says the service level on offer may not be sufficient. Remember that a 99.5% availability means in any 12 month period the cloud service could be off air for a total of nearly two days, and don’t forget your local internet connection and your internet service. The cloud provider can only commit to an SLA for their service and not for the whole internet or your connection to it. Wenham urges business leaders determine how well the supplier’s definition of service availability matches their own requirements.

And when things go wrong, the CISO must examine the mechanisms available for reporting issues and tracking them. Wenham says: “Remember that many cloud providers will only accept problem reports by e-mail and then only from one named/identified person (usually the account holder) and this could impact service restore time.”

Match cloud security measures to data value

Wenham says protecting sensitive information in the cloud requires encrypting the data. If you do encrypt the data, then you would typically only be using the cloud for storage and not processing, as you would need to decrypt the data before you can process it.

He recommends CISOs assess whether the login authentication mechanisms the supplier offers are commensurate with the value of data being stored or processed. For instance, is a user name and password the only mechanism available or are multi-factor mechanisms available? Can password complexity and password expiry be set and can these be managed by the business?

Looking for and choosing a cloud provider that is ISO27001-accredited is to be recommended, but the fact that a vendor has current ISO accreditation does not mean you can ignore other considerations.

Along with data controls, Mike Small. member of London Chapter ISACA Security Advisory Group and senior analyst with KuppingerCole, urges CISOs concentrate on establishing a good framework for governance: As Wenham said earlier, when moving to the cloud it is important business requirements are understood and the cloud service is selected to meet these needs. Small says taking a good governance approach, such as COBIT, is key to safely embracing the cloud and the benefits that it provides.

Beware cloud supplier lock-ins

Small warns CISOs to be wary of supplier lock-ins that can easily occur in the cloud. There are a number of factors that can make changing cloud provider difficult. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow, Small warns. When data is returned, it may not be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider. The risks of building business services based on a proprietary technical architecture are high and technical standards should be adopted where possible. Ensure ownership of data is clear and the terms for its return on termination of contract are acceptable.

For Simon Salmon, CSA UK and Ireland Chapter member, the question remains of whether businesses are being over-cautious when it comes to cloud security.

He says: “At the least, cloud-based systems should prompt everyone to think through far more carefully what their security requirements are across the whole supply chain. Given that, and also that cloud services have been developed with security in mind, it is possible the information security may actually improve.”

There will be cloud security breaches, but businesses have experienced security breaches that are not related to cloud computing. When working with a cloud provider, it is possible to ensure your exposure to risk does not increase.

“However if you currently don’t consider security issues, you may struggle in the cloud!” says Salmon.

Author: Warwick Ashford
Source

Healthcare Slow to Embrace Cloud

Leave a reply

There’s been so much talk about it. And it seems everyone is doing it. “The cloud” has become many businesses’ preferred method of information management and storage.

Cloud computing simply means that information is hosted and stored on the Web.

But there one’s industry that’s not quite so sure about it, or the security of it. While 71 percent of healthcare organizations are either using or looking at the implementation of cloud computing or storage technologies, a new KLAS report shows that “trust in public-cloud services such as those offered by Amazon, Google and others remains weak,” according to a story by Diagnostic Imaging staff.

KLAS says at its Web site that its reports impartially measure healthcare technology vendor performance.

The Diagnostic Imaging writers report that PACS, a technology that stores hundreds of scans each day, providing image access to hundreds of physicians, is an area of particular interest in terms of using the cloud.

“I don’t know that there are a ton of major healthcare providers putting their patient data in the (public) cloud right now. From a liability perspective, it isn’t as mature as some other industries,” The CIO of a facility with more than 1,000 beds told KLAS, the story reports. “That is a major concern for me right now.”

KLAS also noted that patient data security, data privacy and data control are all concerns when considering cloud computing for storing and accessing health care records, according to the story. To work around this, the story says, “A growing number of providers are gravitating toward private clouds, where the use of designated servers strengthens control over their data.”

But some real strengths can also be found through cloud computing. Many healthcare facilities are interested in the disaster-recovery and physical-security advantages of the cloud, according to diagnosticimaging.net. “From a stand-alone practice’s perspective, I am generally scared that I will lose my data. But if it is in the cloud, I know it is more secure,” one physician told KLAS, according to the story.

And there can be benefits for stand-alone facilities such as physician practices, including cost and security concerns, in joining up with larger organizations “to have the use of an electronic health record that is privately hosted in the parent organization’s cloud,” according to the story. But hospitals are a little more reluctant and are only dipping their toes in carefully, for now, according to the story.

Author: Deborah DiSesa Hirsch
Source