By
Jon M. Stout
Chief Executive Officer
Aspiration Software LLC
In the IT business, one frequently see businesses and government entities fielding contracts to provide wireless capabilities for their facilities and personnel. As a security professional, the first question is always: “Why?” experience has shown that , businesses and government agencies tend to undervalue the sensitivity of their data—even their mundane, everyday data. They also tend to underestimate the vulnerabilities introduced by wireless connections points, even if secured, and their potential risk to expensive systems and business operations.
Recently, there has been a virtual explosion in the use of Cloud Computing to decrease security costs and increase accessibility to data.
Once again, businesses and government entities are jumping on the bandwagon to place volume upon volume of proprietary and potentially sensitive data into the great wide open of “The Cloud.” In this process, data owners are yielding broad powers of control over their data to external service providers for which an appropriate trust relationship may not be fully established, nor understood. Once again, I the basic question is , “Why?”
The Attraction of Cloud Computing
Cloud Computing utilizes internet web services from external vendors to provide companies an attractively-priced and scalable means to outsource infrastructure, software, and even technical expertise. The vendor provides these services en-masse, leveraging the efficiencies inherent in economies of scale to provide IT capabilities that would be more expensive, or even prohibitive, to build and maintain independently.
A company or government agency of virtually any size can invariably find some aspect of their operation, or even a total solution, that would realize reduced financial costs in moving internal systems and capabilities into the Cloud. In fact, ventures with limited or non-existent internal information security resources to begin with may greatly improve their security posture simply by making the move.
It all sounds so new, wonderful, and exciting; and to a certain extent it is. But even in an economy dominated by the bottom line, it is easy to overlook a simple truth: The real value of a piece of data to its owner cannot be fully captured by a dollar sign, alone. In fact, that data may be priceless.
The Element of Trust
Often times, the true value of a piece of data is not realized until it is compromised. We work with volumes of data every day, and it is easy to take it for granted. It is also easy to take commercial services for granted. So, let the buyer beware: When considering outsourcing resources into the Cloud, it is imperative to understand the value of data and capabilities being entrusted to the vendor, as well as the nature of the trust relationship—with both the vendor and their third-party business partners! After all, you may be giving them the keys to the kingdom. As a starting point, some simple questions to consider should be:
Where will the data be located, both physically and logically? Different states within the U.S., and certainly different countries, have widely varying laws regarding second-party responsibility—and liability—for handling of data. Ironically, the U.S. has come under scrutiny from other countries due to the post-9/11 ease with which the federal government can gain access to foreign data. Logically speaking, is the data stored on single or multiple servers? Does it share space with data from other sources? Is it housed at one site or multiple, geographically separate sites?
Who will have access to the data, and how are they vetted and monitored? How does one control and gain access to your own Cloud data? How are vendor employees, contractors, and third parties restricted and monitored with regards to access to your data? What security policies are in place?
How will the data be secured on the server, and how is it backed up and/or replicated? Is the data encrypted on the server and/or in transit? How will encryption (or lack thereof) affect performance? How often is the data replicated, and to where? How long are backups maintained? What is the procedure and timeframe for gaining access to backups?
Is the vendor, and the storage site(s), controlling the data in compliance with applicable laws, regulations, governance, and best practices? Have they been cited or had unacceptable incidences in the past? What are the Terms of Service, contractually? What is the fine print, and what information is missing entirely regarding vendor responsibility and liability for data stewardship, loss, and compromise?
The answers to these questions, along with others particular to an individual situation, will define the level of trust required in a relationship with a potential vendor.
Evaluating Risk in Establishing Cost vs. Benefit
Once potential vendors’ offerings are understood, there are a few industry-standard security topics to consider in establishing the level of risk involved in outsourcing data and capabilities. Once the risk is quantified, the cost of moving to the cloud can be considered not only in terms of monthly savings, but also in terms of expected fiscal expense over time due to loss or compromise of data or capabilities. These macro-security topics are:
Confidentiality: What is the potential for disclosure of data with each vendor, and what degree of damage would be experienced to revenue, ongoing or future business efforts, company image, operations, or security if data were disclosed inappropriately?
Integrity: What is the potential for data corruption or loss with each vendor, and the degree of damage (per above) if data were corrupted or lost?
Availability: What is the speed of data access and degree of system reliability for each vendor? What is their system availability rate; and how will change management procedures, system upgrades, and potential disasters affect accessibility to data or capabilities?
Accountability: What is the detection and forensic capability for each vendor if data is lost or stolen? Can unauthorized access, inappropriate disclosure, or loss be tracked so that potential damage can be prevented or mitigated?
Choosing a Solution
In making a decision whether to utilize Cloud Computing, and to what degree, the primary focus should be the criticality of the data and capabilities in question. Considering all cost and risk factors, internal secured data systems may offer higher value for critical data than entrusting an outside party with its control.
While service providers and various consortiums are beginning to address some of the security concerns inherent in Cloud Computing, uniform legal and industry standards are still many years off. Furthermore, security comes with a price: Higher degrees of security and performance than what is currently the norm will necessarily reduce the margin of savings and the overall value to business.
When the decision is made to utilize Cloud Computing resources, consider the following as “must-haves” in choosing a vendor:
1. Demand openness from the vendor on security-relevant details of their employees, systems, and operations.
2. Ensure control is not lost for access to sensitive information: Protect proprietary and intellectual property, privacy information of employees and customers, as well as financial data.
3. Ensure applicable laws and governance mandates are not violated by your use of a vendor, nor by the vendor’s practices in handling your data (for example: FISMA, HIPAA, Sarbanes-Oxley…).
4. Ensure that the criticality of the data, and your liability for it, is not such that loss or release could severely damage or destroy yourself or others.
Virtual and “Cloud” computing are popular concepts in the search to better manage data storage and improve computing efficiency. But there is real and potential risk associated with these new concepts.
As a result care and planning is required to avoid the negative impact of a security breach
Doing Business With the Intelligence Community 