Subscribe

Your email:

Popular Posts

Posts by Tag

Cloud Compliance Blog

Current Articles | RSS Feed RSS Feed

Clouds for Compliance: Do the Benefits Outweigh the Risks?

Posted by Robbie Forkish on Fri, Oct 30, 2009
Submit to Digg digg it | Submit to Reddit reddit | Add to delicious delicious | Submit to StumbleUpon StumbleUpon | Share on Facebook Facebook | Share on Twitter Twitter | Share on LinkedIn LinkedIn 

A new white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, has just been published by ISACA. The paper provides a short overview of cloud service models and deployment models, and lists the well-known business benefits of cloud computing -- with cost savings at the head of the list. Ease of deployment, high availability, scalability, efficiency and resiliency round out the list of cloud computing benefits.

But what's interesting to IT and security professionals are the risks and security concerns associated with cloud computing. To those following the literature and debates on cloud security the concerns listed in the white paper are familiar: what is the reputation, history and sustainability of the cloud service provider (CSP); where does data reside, and does it matter if that question can't be answered precisely; how well is information protected; who can have access to sensitive or confidential information; and can sensitive information be located in the event of a disaster. Many of these issues at a minimum can be addressed in contractual service level agreements (SLAs), but writing tight SLAs is not the same as mitigating risk.

The ISACA white paper is relatively brief and high-level. Many other information resources exist that delve into great detail on CSP exposures and vulnerabilities, both real and imagined. But additional detail and technical depth isn't necessarily what organizations need to determine whether cloud benefits outweigh the risks for their situation. Specifically, they need to assess the risk related to their sensitive data that would be operated on or stored in the cloud.

Every organization should -- and many organizations do -- have a data classification strategy in place. COBIT 4.1, for example, mandates that organizations should "Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data... It is used as the basis for applying controls such as access controls, archiving or encryption" (section PO2.3). The following classification guide, from the State of New York's CSCIC, is a good example of an approach for classifying data based on risk levels with regard to data confidentiality, integrity and availability:


 

Here is another approach, then, to dealing with cloud security risks: Limit cloud-based applications to only those that operate on low- or moderate-risk data. Put another way, your organization may decide to reap the economic benefits of cloud-based services -- but only for applications that fall within acceptably low risk profiles.

This evaluation process is already being employed, if only implicitly. Tens of thousands of companies have opted for SaaS-based CRM solutions, the most well-known being from Salesforce.com. Customer information, while valuable to the organization, is not so critical that having it stored in the cloud is viewed as an unacceptably high risk.

On the other hand, many companies I've spoken to believe that the risk of storing personal identifying information (PII) or other highly-confidential information in the cloud is unacceptably high-at least at the current level of cloud security maturity.

My company, Cloud Compliance, has a keen interest in this question. We believe that internal user names and logon activity are no more sensitive than CRM data currently being stored in the cloud by so many companies. While we've found many organizations that agree with our risk assessment, there are others who aren't so sure.

Identity and Access Assessment (IdAA) solutions such as that being developed by Cloud Compliance need to upload two data sets to the cloud in order to perform their analytics:

  1. log records from SSO systems, log management systems or from application servers which show all access activity (log on and log off) and includes user IDs and time/date of access; and
  2. rights or entitlement information from AD, the applications or from an identity management system which lists which users have entitlements to which applications. (Note that if the entitlement/identity management system includes personal identifying information such as SSN or home address it is not included in data sent to the cloud. Also note that data in transit as well as data at rest is encrypted.)

(Please visit our product page for more information on how our solution works as well as a use case demo.)

This is the relevant risk management question: If you assume that IdAA solutions reduce if not prevent audit findings related to access controls, is it worth the risk to have your user names, login activity and entitlement information stored in the cloud?

Here's another way to look at it: Is your internal entitlement and activity data more or less sensitive than your customer data that's being stored in the cloud by Salesforce.com and other CRM SaaS solutions?

I am very interested in your views. Please leave a comment on the blog, or send me your opinion at rforkish@cloud-compliance.com. I'll report back in a future post on the collective wisdom of the blog readers.



Tags: , , , , , , , , , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.