Are you ready for Cloud Computing?
As a final research project for my most recent class, I assigned the task of outlining some of the security issues associated with moving to a cloud based solution for an enterprise. Now ‘cloud computing” is certainly not a new concept as Bruce Schneier did a great job outlining in on his blog earlier this year. However, it has recently gained momentum in these hard economic times as the need to reduce IT overhead is even more pressing than usual. The cost savings of moving to a cloud based solution is beyond dispute. Even Uncle Sam is getting in on the action. The GSA has recently set up Apps.gov to promote the benefits of cloud computing to other government entities. The DoD is looking at implementing it’s own “private” cloud. As was outlined by many of the student presentations , there are still many unanswered questions when it comes to security. I believe this is primarily because of the proprietary nature of our current solutions. Microsoft, Google or Amazon aren’t going to publicized all their security measures for current or prospective customers to evaluate. There is risk in the unknown. When an organizations IT is hosted and managed on-site, those responsible for security ( ultimately upper management ) can verify fully what security measures are in place and the effectiveness of such measures. How’s does an organization ensure that its cloud provider is adhering to the agreed security measures. I believe a third party verification is essential here. Independent, thorough and periodic audits by a trusted third party can go a long way in ensuring confidence in prospective customers . A well defined Service Level Agreement is also essential. Especially when one considers the loss of control involved in becoming more dependent on the chosen provider. Some if the challenges created by moving portions of IT to a cloud provider are outlined in this NIST presentation[filebase:file:file=2].
Another excellent article on the subject has been recently published by MIT’s Technology Review titled Security in the Ether. Lastly, I believe as organizations consider the a move to cloud computing, the benefits and risks should be weighed. For smaller organizations and new startups, the decision seems a relatively easy one. When I formed my consulting practice, using Google Apps for my email, calender, document sharing and other intranet services was an obvious choice. I could have almost as easily hosted and managed that infrastructure myself but my benefit – risk analysis showed that to be neither practical nor greatly beneficial. For larger enterprises that have already invested significant resources in building up an IT infrastructure, the decision should be a lot harder. However, a thorough analysis of the benefits and risks should help move the decision one way or another.
Is your organization currently considered such a move?
XCXFHSYPDN3G
|
William J McBorrough is a Security Expert with many years of success Managing, Designing, and Implementing medium and large enterprise Physical and Information Technology Security Solutions. His experience spans the spectrum from small e-commerce start-ups to multi-campus state and federal agencies to global financial sector organizations. He is on the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he conducts research and teach graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He holds a Bachelors of Science in Computing Engineering with a concentration in digital networks and a Masters of Science in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), and Certified Ethical Hacker (CEH).He is well versed in personnel, systems and network security risk management. His core competencies include Developing cost effective solutions to enable mission assurance in the following areas: Enterprise Risk Management, IT Governance, Security Organization Development, Information Security and Assurance
|
Related posts:
- Cloud Computing = Loss of Confidentiality?
Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting... - Exploring Cloud Computing Information Leakage
If you are in cloud computing security (or part of an organization with infrastructure in a public cloud), this paper is a must read. As more organizations seek to realizes... - The real arguments for Cloud Computing
As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made. I ran across an article... - Cloud Security Alliance
For more information on Cloud Computing Security, a good resource is the Cloud Computing Alliance, a “non-profit organization formed to promote the use of best practices for providing security assurance...