You may have read this recent survey conducted by ISACA or the article about the survey posted on CNET April 7 or the more recent article about access and authentication headaches for cloud computing published by SC Magazine April 9.
The message is clear: Remote users watch out for security and privacy threats! Of course there is absolutely nothing new about this message. But then again, there is very little that is new about cloud computing. Only its name.
Forty years ago cloud computing had other names: service bureau computing, remote computing, mainframe service providers, to name a few. Fast forward and we have similar shared services more widely accessible by orders of magnitude because of ubiquitous Internet availability and the flexibility of IP addressing. So the concept of a remote service provider has changed not in the least; one person in their basement running a great application on an NT server with worldwide Internet access is an example of cloud computing.
The security and privacy vulnerabilities are commensurately more serious than legacy service bureau operations with remote access provided typically by dedicated lines. (Anybody know or remember what dedicated lines are?)
The ISAC survey does pose the financial rewards vs. the potential downside costs of risk, with a nifty Risk / Reward Barometer visual. To read the article please see www.ere-security.ca RSS feed, April 7. The idea of doing a risk analysis and BIA on any critical service is nothing new in the security business and, of course, these tools should be used when considering the use of cloud computing.
Further, in my opinion, using a cloud computing resource is much the same as outsourcing an IT service. Any conscientious purchaser of outsourced services should consider, review, and have in writing as part of an SLA, many issues surrounding IT security compliance monitoring, enforcement, and a mechanism for recovering financial losses due to breach of the outsourcing agreement.
For more ideas about how to deal with an IT services outsourcer, please see: www.ere-security.com , IT Security White Papers, Risk Analysis, “IT Security Costs: Outsource vs. Self Deploy”
But I digress.
The fundamental business needs for enforcing access privileges and stringent authentication do not change whether the IT services in question are in-house or in a cloud, as pointed out in the SC Magazine article. By the way, you can see the article at: www.ere-security.ca RSS, April 9.
The issue of who is doing the access and authentication processes is critical to its control. I personally prefer the client retain control, and provide access to employees or users via a proxy service, again under the control of the client. The authenticated users should then be provided VPN access to the cloud based service provider.
However, this is all for not if the security framework of the cloud service provider is not up to snuff, and essentially circumvents all the good works of access control and authentication done by the client. Which brings us right back to the point about the degree of security agreed to and provided by the cloud service provider.
The bottom line here is: The catchphrase cloud computing is new but all its old security headaches aren’t!
Have a secure week.
Regards, Ron Lepofsky, CISSP
President,
ERE Information Security and Compliance Auditors
