“ISF’s view of the cloud is shifting”, Davis told his audience. “As an industry, we have technology definitions that we are happy with, acronyms and terminology like ‘platform as a service’, that no-one else uses. Most of society doesn’t actually get what we are talking about.”
Organizations, he says, are concerned about costs and “getting rid of the IT team in the basement”. Sometimes, this means cutting information security completely out of the loop, leaving those responsible for security unable to influence the decision.
If an organisation does make the move into the cloud, Davis advises that they should at least be aware of his ‘seven deadly sins of cloud computing’ which apply to large and small organizations, and across the entire supply chain:
- Ignorance: It is often the case that very few employees will actually be aware that their organization has adopted cloud computing. Ignorance, however, is not a defense. Knowing if your organization is in the cloud, and what this means for your business, is essential.
- Lack of knowledge: If you buy a cloud service, you’re normally accountable to their terms and conditions. Know what you are signing up to. Know what the terms and conditions are, and keep hold of the end user license agreement.
- Doubt: Are you able to audit your cloud supplier? Ensure that they are doing what they say they are by confirming the right to audit.
- Trespass: Which laws apply to this cloud agreement? Consider geography and familiarise yourself with which laws you are breaking and which you are complying with. Be able to demonstrate that you are not trespassing.
- Chaos and disorder: Know the sensitivity and the criticality of your information. People put data in the cloud because it is easy and cheap – they don’t worry about its sensitivity. Ensure you understand how the data is stored, backed-up, and destroyed.
- Conceit: When the CEO decides to go to the cloud, know whether you are actually cloud-ready. Most infrastructures are not ready for the cloud, indeed we’re often still struggling with VPN.
- Complacency: Everyone thinks that the cloud will never break, that we can put pictures on Flickr and they will be there forever. Remember, there is a metal underneath and the connection is somewhere. There is a single point of failure.
“None of these sins are anyone’s fault”, declared Davis. “Organizations are making these mistakes every day, not the tecchies. People need to stop and think. They see the advantages and the promises [of cloud computing] – they don’t look at risk equations”.
The role of the information security industry, said Davis, is “to help businesses get this right. If we get in the way of cloud, they’ll just push us away”, he said. “You need to explain in business terms to your CEO that seeming business savings will cost you further down the line – in compliance and infosec costs.”
Davis emphasized the importance of being able to take advantage of the cloud moving forward. He offered several pieces of advice in order to combat the seven sins of cloud computing:
- Plan for the end at the beginning. Think about how you are going to leave, and how you will get your data back. Consider whether you have right to logs, and who will own your data if the provider goes bust.
- Know who your suppliers are.
- Agree a security plan that your business is happy with
- Consider how you validate security and understand what they are doing.
- Have metrics, monitoring and reporting available
- Scrutinize the security of your entire supply chain
In conclusion, Davis summarized that while cloud computing introduces new risk, “there is enough to be able to help you, as long as you remember the seven deadly sins. Internally, don’t fix one thing and think you’ve fixed the problem. There is no silver bullet. Tell the business what is right, and what the risks are – it is the business that needs to win”.
Finally, he asked the audience for their input into the CAMM standard, which is a kitemark for cloud computing practice. “We want to get it absolutely right”, he said. For more information on CAMM, please click here.