Info-Tech Research Group recently held a Web seminar on cloud computing and security. Security, Info-Tech says, is not about eliminating risks to the enterprise, it is about mitigating these risks to acceptable levels. As organizations increase their use of software-as-a-service, some question the security risks associated to the business. Is our information at risk from unauthorized use or deletion? Is security the same with the internal and external cloud? In the webinar, Info-Tech’s senior analyst James Quin discussed the challenges and concerns the market faces today regarding security and cloud-based technologies.
The following questions were asked during the webinar. Some were answered in the webinar conversation with James and others are answered below.
Q: What types of businesses are currently using the cloud and what businesses are best suited for the cloud?
A: Many organizations are using the cloud right now. This includes both large and small organizations across all industries. Organizations that are testing or cleaning generic data that is not deemed to be confidential or sensitive is well suited for the cloud. The cloud allows the infrastructure necessary to make use of the data and shut it down when necessary. Short term data recovery capabilities are well suited for the cloud as well as software-as-a-service, for example, CRM tools.
Q: Do legislative requirements exist for companies who are operating in the cloud?
A: Legislative requirements do not exist for companies operating in the cloud. It’s important for companies to understand and set up contracts with vendors. It’s your responsibility (not the vendor) to ensure audit practices are developed to ensure data integrity and security.
Q: How do you know the geographical location of the cloud in order to be compliant with state and federal laws for holding private information?
A: The short answer to this is that you don’t know. That’s one of the challenges. There are massive data centers all over the world and we don’t know the geographical location of the data and can’t control where it is. That’s the fundamental challenge of using the cloud. It doesn’t mean you shouldn’t use cloud computing, it just means you need to understand what applications are best suited for its use.
Q: What is the impact of US Patriot Act on privacy concerns of non-US organizations?
A: The US Patriot Act allows for search and seizure in the event of suspected terrorism, or dealings with terrorists. Depending on how the seizure is executed, in theory should law enforcement wish to seize electronic data, they could seize actual storage devices, which would affect multiple clients. This leads to an inability to access to data, but also leads to a potential of loss of data. Encryption is fundamental and a tactic companies should consider implementing.
Q: Can companies develop exit strategies for the cloud?
A: Companies can and definitely should set up exit strategies. This is a fundamental issue, not necessarily a security one. Companies must be very careful about this. First, companies must ensure they are using cloud providers who do not use proprietary data storage or something unique to them. An exit will be difficult if this is the case. Second, contractual stipulations need to be worked out between the client and vendor. As a client, a tactical measure is to make sure that removal and cleansing is clear in the contract.
Q: Has the cloud changed the ISO Model?
A: No, the ISO model doesn’t care about the cloud. ISO is a standard. Cloud is fast moving and has not been addressed in the ISO model. Companies are however looking for direction in this area. One of the best organizations which may be able to help answer your questions about this is Cloud Security Alliance at www.cloudsecurityalliance.org.
Q: With the tremendous amount of sensitive/proprietary data in the cloud, what are cloud vendors doing to protect it? Whose responsibility is it to protect the data? How can I be sure that the vendor doesn’t have access to my data?
A: One step organizations can take is an audit process to ensure your data is protected. If the vendor is unable to do this or pass the audit, you may need to look at your exit strategy. If it’s your data then it’s your responsibility to protect it. Ask what security controls the vendor provides and make sure that you are using strong encryption with self-managed keys.
Q: What work has been done on total cost of ownership in a secure cloud environment?
A: Not much work has been done in this area. Right now, cloud is a model built on efficiency, not evaluation. For example, how much security costs to you. The Cloud Security Alliance, mentioned earlier, is working on this.
Q: What providers are using TXT?
A: Intel is releasing chips with TXT capabilities this year. Uptake by providers will be another story. That being said, TXT is only one component because software will be required as well to monitor and report on what TXT sees.
Q: What are the risks associated with major Internet outages?
Be the first to comment on this post using the section below.