Eduardo Gelbstein and Viktor Polic
For a long time, organizations and individuals have relied on third-party services relating to data, information systems, and infrastructure, and many lessons have been learned in the process.
Cloud computing has established itself as a potentially valuable addition to the portfolio of third-party services. But cloud computing can introduce several issues for data owners, particularly when the data is considered sensitive in terms of confidentiality, access rights and privileges.
While the benefits of cloud computing are easy to understand (e.g., lower cost, flexibility, transfer of accountabilities for operational activities), it is prudent to remember the old adage, “If it looks too good to be true, it probably is,” and devote time to a detailed assessment of the issues described in our recent Journal
Cloud-related issues raised in conference discussions and various publications focus on concerns such as:
- Data ownership and what the service provider is or is not allowed to do with this data
- The use of encryption and management of the encryption keys and digital certificates
- Identity and access management
- Compliance with data protection legislation, particularly about the location of the data
- Compliance with privacy protection legislation
- Terms of contract, including the right to audit the service provider
- Confidentiality and nondisclosures by the service provider
- Access rights to data by the personnel of the service providers and its suppliers or service providers
- Guarantees that in the case of termination of a contract there will be no copies of data left with the service provider
Other issues that could effect cloud computing are:
- The impact on the data owners if the service provider goes out of business or is the target for an acquisition by a third party
- The feasibility of terminating a contract and migrating the data (and related services) to another service provider
The real issue may be one of timing—the cloud is likely to be part of the service portfolio offered by third parties for many years to come. Optimists and risk takers will no doubt gain the benefits of cloud computing sooner and gain valuable experience in doing so. Those whose risk appetite is limited and deal with custom, critical applications may choose to wait until the issues discussed in our Journal
article have been addressed and resolved appropriately.
Biswajit Mohapatra, Vinay Parisa and Joydipto Banerjee
In our recent Journal article
, we talk about how enterprises are adopting technologies like cloud, analytics, social and mobile tools to drive a strategic advantage. Emerging businesses that are born on the cloud have these technologies as part of their DNA and are at an advantage, as they can focus on a small number of core competencies that are integral to their business, unlike established enterprises that were formed using a strategic but different business model from the internet era. We are at the cusp of a smarter era where systems and applications are designed to interact with each other and generate a lot of data. Businesses are starting to depend on sophisticated analytics to distill insights and context from this increasing volume of digital information. These insights are changing the way enterprises do business with their customers. By 2020
, it is expected that there will be more than 200 billion connected devices, and machine-generated data will be 42 percent of all data.
In the infrastructure world, as cloud computing evolved, it became increasingly evident that there was still room for traditional applications and hardware. A new deployment model, the hybrid cloud, started to emerge, and with it the automation that was built for the cloud started to find use in the traditional datacenters. By abstracting the infrastructure, the cloud automation makes it possible to scale the resources between public and private clouds to offer a perfect solution for unique requirements. Cloud automation software also includes monitoring and predictive analytics solutions, which are used to analyze the data generated by the infrastructure in order to allocate appropriate resources for applications, there by bringing a greater level of optimization.
Gartner predicts that by 2016, 25 percent of external application implementation will be on mobility, cloud, analytics and social computing services and more than 50 percent of application modernization efforts will address business demand for enhanced functionality to legacy systems and not cost reduction. Enterprises lacking a modernization strategy are going to lose a lot of ground and will face an uphill task of playing catch-up. For an enterprise to be successful across technological eras, it must continuously reinvent itself and embrace innovation and be early adopters. These new technologies enable rapid change, growth and innovation in business. A modernization strategy is essential for an organization, and big data will be the key to hidden opportunities.
By Tim Myers
Many companies rely on threadbare IT resources or external advisors to guide them in making technology decisions and are understandably wary when considering new options, especially the multitude of software as a service (SaaS) features now available to them in the cloud.
Companies that are considering cloud-based services for the first time or that have made only marginal forays into the use of public or private data centers should walk before they run. As any battle-scarred veteran of the business world knows, new programs or projects stand a much better chance of success—and widespread acceptance—if they are approached in a methodical manner.
Rather than flying into the cloud headfirst, the prudent choice may be to take a more modular approach. With advice from IT leaders and any outside experts, companies can test out the cloud by piloting it first with 1 cloud-ready enterprise function, like accounting, email services or data backup. This way, organizations will quickly learn what works, what needs tweaking and whether or not the cloud is proving to be beneficial from a return on investment perspective.
Importantly, while assessing this initial foray into the cloud, the rest of the business will run as usual. Thus, any problems or delays can be ironed out without disrupting the rest of the enterprise.
If the cloud is living up to its billing, organizations should be ready to add on additional cloud-ready functions and applications and enjoy further cost, productivity and security benefits. And given that 87 percent of cloud users surveyed
recently would recommend the cloud to a peer or colleague, the likelihood of satisfaction is high.
Although the cloud is much buzzed about in the tech world, it is still new enough to be feared by many, especially by those who do not fully understand it. Most people see its benefits in flexibility, speed and cost savings. By automating processes from the cloud, organizations can achieve the benefits of automation faster and more economically than ever before.
Over the years, I have had first-hand experience with organizations that have been reluctant to automate their business and IT processes. It is not because they were afraid of automation, but because they were concerned about how they would implement it. In a survey
commissioned by Redwood Software in 2012, the results found that even though 87 percent of representatives from top global enterprises believe that automation is key for productivity, 99 percent still spent a lot of time doing repetitive manual tasks, with almost two-thirds (63 percent) of companies spending more than a quarter of their time on manual tasks. Each of these manual tasks costs the organization money every day.
In fact, implementing automation from the cloud eliminates many perceived barriers to automation. Any decision required to kick off a process improvement initiative with automation from the cloud does not require buying additional infrastructure or hardware. Automation from the cloud makes it much more feasible. Rather than just accessing applications, infrastructure or data, business and IT professionals can now build in automation that is easy to implement, change and expand. Perhaps surprisingly, the cloud can also offer more security than on-premises solutions. Because process automation touches so many activities across so many systems, shifting these to the cloud can avoid systemwide slowdowns and keep everything running smoothly. Think of how many times you have heard complaints that something critical to operations is running slow because of, for example, a system copy in progress. Now imagine that never happening again for you or anyone else across your entire organization. It is possible.
From the automobile to Google Glass, every bit of innovative technology is initially met with fear and skepticism. When innovation can affect an entire company’s overall performance, it is no wonder that it is approached with some trepidation. However, being a late adopter of advantageous approaches, such as automation from the cloud, can cost companies real money. As early adopters begin to share their success stories with those who are more hesitant, do not be surprised if cloud-based automation is the norm everywhere very soon.
Shah H. Sheikh, CISA, CISM, CRISC, CISSP, CCSK
There has been a great deal of focus and attention on cloud services and the benefit they bring—financially and operationally—to organizations. Little is done to understand the exact security implications that are likely to be faced when discussing security in the cloud. When this particular topic comes into question a plethora of subject areas related to security come into play, such as data security (residency, custodianship, destruction, transference), legal liability for data that cross as transborder data flow, disaster recovery, service level agreements, right-to-audit clauses, cloud service risk management, service monitoring, security auditing, and logging in the cloud. The list goes on.
When an organization is looking to outsource elements of IT services into the cloud through the platform, software or infrastructure (PSI) as a service model, it is important to establish a cloud security charter outlining the security requirements from a high-level perspective that are aligned with the organization’s information security policies. The charter itself is driven either technically or through management but ultimately must have the blessing of the board. In its simplest form, the charter identifies what is required from an information security perspective to rubberstamp and approve transitioning services into the cloud. The establishment of the charter is intended to align the organizationwide strategy for cloud adoption and signifies the role information security plays in that strategy and the overall governance.
Following good practices in the industry and implementing standards developed by international organizations provide a solid framework on the life cycle of managing security within the cloud. The issue of cloud security cannot be avoided, and the answer is certainly not product- or solution-based. The traditional security professional mind-set must change, new security techniques need to be adopted and a framework that addresses and manages security risk in the cloud throughout its life cycle needs to be nurtured into the overall cloud transition process from the onset.
Dan Bogdanov, Ph.D. and Aivo Kalu, Ph.D., CISA
Imagine a skilled artisan who can craft items out of clay. She uses practiced steps to turn the raw material into a useful object, and she is so experienced that she can work blindly without seeing the item in progress.
Now imagine a computer that can process your data blindly without seeing them. Such a machine would change computing as we know it. If we could use these computers to provide services on the Internet, the data owners could use the services without fear of their data leaking to third parties. The processing of private data could safely be outsourced to computing resources rented from a cloud service provider.
All this has been hard to do until now, as the data owners have not had enough control over their data once they upload the data to an online computer. Now, new developments in the field of computer security have taken us one step closer to a computer that can work on your data without seeing the values.
In our recent ISACA Journal article
, we introduce a novel way for building online services with unparalleled privacy guarantees. The approach is based on secret sharing and secure multiparty computation—two cryptographic techniques that protect information from the computer host during both storage and processing. This is a major step forward from standard encryption that only provides protection during storage and forces us to decrypt data to process them.
explains the technology and presents case study examples of its use to protect confidential financial information.
We believe that secure multiparty computation technology has great potential as it solves a range of data confidentiality problems. For example, according to a recent report by Discovery News
, the new technology was used to determine if two satellites collide without forcing satellite owners to disclose the exact trajectories.
In what ways would you use this new technology? Read the article and let us know what you think in the comments!
Larry G. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL
When IT security started becoming important to the protection of computer systems on the network, a fellow security colleague asked me a question that is even more relevant today. My colleague was an information system security officer (ISSO) who was having trouble convincing a user that annual IT security training was important and was required. The user had asked him, “Who is responsible for IT security?”
When the ISSO asked me the question, I responded “Is this a trick question? Everyone is responsible for security.” I believe this is even more the case today.
Over the past 15 years, I have seen IT security evolve from background checks and physical security concerns to defending the network against malicious software (e.g., viruses, worms, botnets, Trojan Horses, phishing attacks) initiated by mischievous and criminal minds, to defending against threats from established criminal organizations, terrorists and identity thieves. In today’s world, the skill set requirements have increased considerably and they continue to do so. IT security must defend the financial industry from ruin, prevent the loss of corporate secrets and safeguard the information of everyone in the organization (and with whomever they conduct business).
The threats have moved from direct terminal entry into the system (or network) to wireless devices of all sorts. You can see that almost all of the people around you have one or more wireless devices, such as a cell phone, laptop, digital notepad and iPod. Like all new devices, the inventors make products with new features and capabilities for public use, and it is up to those in IT security to protect the confidential, sensitive, personal and mission-critical data within the organization.
When it was once simply a matter of implementing defensive host and network software, the required security skills have evolved—they have become specialized because of the numerous types of attack vectors and the high number of criminal entities. Today, there are IT security specialists in system security assessment (and audit), security architecture, risk and compliance management, network and operations security, application security, incident response, computer forensics, penetration testing, malware analysis, contingency planning, and identity management.
Information security has become so complex and important to everyone that it has evolved into a service. In my recent Journal article
, I provide some insight into the shift in security responsibilities for organizations that have moved their data, and in some cases their systems, to the cloud. For those organizations that think that the ISSO is the only person needed to protect their data and systems, I invite you to read about how the security boundary is changing and how it now takes many people to keep your data secure.
William Emmanuel Yu, Ph.D., CISM, CRISC, CISSP, CSSLP
Not so long ago, all businesses had traditional brick-and-mortar operations. Employees had access to communications facilities within these brick-and-mortar facilities. Security was hinged on the fact that controls could be placed in both the facility and the equipment contained in the facility. Cloud-based communications offerings removed the tether to the office desk and Bring Your Own Device (BYOD) mobile-enabled offerings removed the tether to the office equipment. The untethering trends in communications have focused on 3 main areas:
- Electronic mail. Email solutions allow access from anywhere with Internet access and from a broad range of devices including mobile. A number of these offerings have value-added services such as spam and malware filtering, archiving and even some enterprise groupware functionality (i.e., calendar, address books, document sharing). Major players in this space include Google Apps, Rackspace Email and Zoho.
- Instant messaging. Email is frequently used as an instant messaging solution with the advent of push email. However, real-time messaging is making a comeback via mobile-centered instant messaging offerings (i.e., Whatsapp, Vibr, Facebook). Enterprise instant messaging functionality (e.g., organizational groups, directory services) has not quite managed to creep into these offerings yet. But, this does not stop business from using these channels.
- Telephony. Telephony solutions offer follow-me services that allow an enterprise user to have one telephone number that allows people to reach them either in the office or on the go (via mobile). These offerings are now available for entire enterprises and not just individual users. They have a rich set of enterprise functionality, including conferencing, recording, voice mail, messaging triggers and call routing. Gone is the day when companies needed to procure full IVR/PBX solutions to join the ranks of the enterprise “big boys.” Today, a credit card and Internet access can provide you with such services. Major players include Twilio and Ring Central.
In the new Wild West of communications, information security professionals must adjust to the mind-set that security via controls in well-defined and limited enterprise facilities—the Fort Knox Mentality—is coming to an end. Information is now scattered in many places: physically stored in disks with a hosting provider, in transit among many Internet and telecommunications providers, and cached in the many individual devices an enterprise user may carry. Today, all of these areas, including additional areas of concern such as safe harbor, right to forget, data repatriation and ownership, and need to clean as you go (CLAYGO), must be considered in the eyes of information security.
Read William Emmanuel Yu’s recent Journal article:
“BYOD Security Considerations of Full Mobility and Third-party Cloud Computing,” ISACA Journal, volume 1, 2013