CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
This question has been puzzling a few folks of late, not just CloudFucius. The Judicial/legal side of the internet seems to have gotten some attention lately even though courts have been trying to make sense and catch up with technology for some time, probably since the Electronic Communications Privacy Act of 1986. There are many issues involved here but a couple stand out for CloudFucius. First, there is the ‘Privacy vs. Convenience’ dilemma. Many love and often need the GPS Navigators whether it be a permanent unit in the vehicle or right from our handheld device to get where we need to go. These services are most beneficial when searching for a destination but it is also a ‘tracking bug’ in that, it records every movement we make. This has certainly been beneficial in many industries like trucking, delivery, automotive, retail and many others, even with some legal issues. It has helped locate people during emergencies and disasters. It has also helped in geo-tagging photographs. But, we do give up a lot of privacy, secrecy and confidentiality when using many of the technologies designed to make our lives ‘easier.’ Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. From: The Constitutional issues of cloud computing You might not want anyone knowing where you are going but by simply using a navigation system to get to your undisclosed location, someone can track you down. Often, you don’t even need to be in navigation mode to be tracked – just having GPS enabled can leave breadcrumbs. Don’t forget, even the most miniscule trips to the gas station can still contain valuable data….to someone. How do you know if your milk runs to the 7-Eleven aren’t being gathered and analyzed? At the same, where is that data stored, who has access and how is it being used? I use GPS when I need it and I’m not suggesting dumping it, just wondering. Found a story where Mobile Coupons are being offered to your phone. Depending on your GPS location, they can send you a coupon for a nearby merchant along with this one about Location-Based strategies. Second, is the Fourth Amendment in the digital age. In the United States, the 4th Amendment protects against unreasonable searches and seizures. Law enforcement needs to convince a judge that a serious crime has/is occurring to obtain a warrant prior to taking evidence from a physical location, like your home. It focuses on physical possessions and space. For instance, if you are committing crimes, you can place your devious plans in a safe hidden in your bedroom and law enforcement needs to present a search warrant before searching your home for such documents. But what happens if you decide to store your ‘Get rich quick scheme’ planning document in the cloud? Are you still protected? Can you expect certain procedures to be followed before that document is accessed? The Computer Crime & Intellectual Property Section of the US Dept of Justice site states: To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation….Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions about whether a computer or other storage device should be classified as a single closed container or whether each individual file stored within a computer or storage device should be treated as a separate closed container. But, you might lose that Fourth Amendment right when you give control to a third party, such as a cloud provider. Imagine you wrote a play about terrorism and used a cloud service to store your document. Maybe there were some ‘surveillance’ keywords or triggers used as character lines. Maybe there is scene at a transportation hub (train, airport, etc) and characters themselves say things that could be taken as domestic threats – out of context of course. You should have some expectation that your literary work is kept just as safe/secure while in the cloud as it is on your powered down hard drive or stack of papers on your desk. And we haven’t even touched on compliance, records retention, computer forensics, data recovery and many other litigating issues. The cases continue to play out and this blog entry only covers a couple of the challenges associated with Cloud Computing and the Law, but CloudFucius will keep an eye on it for ya. Many of the articles found while researching this topic: The Constitutional issues of cloud computing In digital world, we trade privacy for convenience Cloud Computing and the Constitution INTERNET LAW - Search and Seizure of Home Computers in Virginia Time to play catch-up on Internet laws: The gap between technology and America's laws hit home last week in a court decision on network neutrality FCC considers reclassification of Internet in push to regulate it Personal texting on a work phone? Beware your boss High Court Justices Consider Privacy Issues in Text Messaging Case Yahoo wins email battle with US Government How Twitter’s grant to the Library of Congress could be copyright-okay Judge Orders Google To Deactivate User's Gmail Account FBI Warrant Sought Google Apps Content in Spam Case State court rules company shouldn't have read ex-staffer's private e-mails District Took 56,000 Pictures From Laptops Can the Cloud survive regulation? Group challenging enhanced surveillance law faces uphill climb Watchdogs join 'Net heavyweights in call for privacy law reform Digital Due Process Judge's judgment called into question Dept of Justice Electronic Evidence and Search & Seizure Legal Resources Electronic Evidence Case Digest Electronic Evidence Finally, you might be wondering why CloudFucius went from A to C in his series. Well, this time we decided to jump around but still cover 26 interesting topics. And one from Confucius himself: I am not one who was born in the possession of knowledge; I am one who is fond of antiquity, and earnest in seeking it there. ps The CloudFucius Series: Intro, 1The Venerable Vulnerable Cloud
Ever since cloud computing burst onto the technology scene a few short years ago, Security has always been a top concern. It was cited as the biggest hurdle in many surveys over the years and in 2010, I covered a lot of those in my CloudFucius blog series. A recent InformationWeek 2012 Cloud Security and Risk Survey says that 27% of respondents have no plans to use public cloud services while 48% of those respondents say their primary reason for not doing so is related to security - fears of leaks of customer and proprietary data. Certainly, a lot has been done to bolster cloud security, reduce the perceived risks associated with cloud deployments and even with security concerns, organizations are moving to the cloud for business reasons. A new survey from Everest Group and Cloud Connect, finds cloud adoption is widespread. The majority of the 346 executive respondents, 57%, say they are already using Software as a Service (SaaS) applications, with another 38% adopting Platform as a Service (PaaS) solutions. The most common applications already in the cloud or in the process of being migrated to the cloud include application development/test environments (54%), disaster recovery and storage (45%), email/collaboration (41%), and business intelligence/analytics (35%). Also, the survey found that cloud buyers say the two top benefits they anticipate the most is a more flexible infrastructure capacity and reduced time for provisioning and 61% say they are already meeting their goals for achieving more flexibility in their infrastructures. There’s an interesting article by Dino Londis on InformationWeek.com called How Consumerization is Lowering Security Standards where he talks about how Mob Rule or the a democratization of technology where employees can pick the best products and services from the market is potentially downgrading security in favor of convenience. We all may forgo privacy and security in the name of convenience – just look at loyalty rewards cards. You’d never give up so much personal info to a stranger yet when a store offers 5% discount and targeted coupons, we just might spill our info. He also includes a list of some of the larger cloud breaches so far in 2012. Also this week, the Cloud Security Alliance (CSA) announced more details of its Open Certification Framework, and its partnership with BSI (British Standards Institution). The BSI partnership ensures the Open Certification Framework is in line with international standards. The CSA Open Certification Framework is an industry push that offers cloud providers a trusted global certification scheme. This flexible three-stage scheme will be created in line with the CSA's security guidance and control objectives. The Open Certification Framework is composed of three levels, each one providing an incremental level of trust and transparency to the operations of cloud service providers and a higher level of assurance to the cloud consumer. Additional details can be found at: http://cloudsecurityalliance.org/research/ocf/ The levels are: CSA STAR Self Assessment: The first level of certification allows cloud providers to submit reports to the CSA STAR Registry to indicate their compliance with CSA best practices. This is available now. CSA STAR Certification: At the second level, cloud providers require a third-party independent assessment. The certification leverages the requirements of the ISO/IEC 27001:2005 management systems standard together with the CSA Cloud Controls Matrix (CCM). These assessments will be conducted by approved certification bodies only. This will be available sometime in the first half of 2013. The STAR Certification will be enhanced in the future by a continuous monitoring-based certification. This level is still in development. Clearly the cloud has come a long way since we were all trying to define it a couple years ago yet, also clearly, there is still much to be accomplished. It is imperative that organizations take the time to understand their provider’s security controls and make sure that they protect your data as good or better as you do. Also, stop by Booth 1101 at VMworld next week to learn how F5 can help with Cloud deployments. psIn 5 Minutes or Less Video - IP Intelligence Service
I show you how to configure the IP Intelligence Service available on BIG-IP v11.2, in 5 Minutes or Less. By identifying relevant IP addresses and leveraging intelligence from cloud-context security solutions, F5's new IP Intelligence service combines valuable information on the latest threats with the unified policy enforcement capabilities of the BIG-IP application delivery platform. Deployed as part of the BIG-IP system, F5’s IP Intelligence service leverages data from multiple sources to effectively gather real-time IP threat information and block connections with those addresses. The service reveals both inbound and outbound communication with malicious IP addresses to enable granular threat reporting and automated blocking, helping IT teams create more effective security policies to protect their infrastructures. ";" alt="" /> In 5 Minutes or Less - IP Intelligence Service A free 30 day evaluation of the IP intelligence service is available. psThe Cloud Impact and Adoption Infographic
Maybe you’ve noticed but I’ve been on an infographic kick lately – especially when it’s something interesting. This time it is an aggregated infographic of data primarily from Forrester, IDC and Gartner as it pertains to the cloud’s impact and adoption thru 2015. According to Axway, the cloud is expected to become the primary operating system for enterprise by 2014, mobile devices are driving adoption, and the cloud hype is over, this thing is for real. Full jpg can be found here. psThe STAR of Cloud Security
The Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, recently announced that they are launching (Q4 of 2011) a publicly accessible registry that will document the security controls provided by various cloud computing offerings. The idea is to encourage transparency of security practices within cloud providers and help users evaluate and determine the security of their current cloud provider or a provider they are considering. The service will be free. CSA STAR (Security, Trust and Assurance Registry) is open to all cloud providers whether they offer SaaS, PaaS or IaaS and allows them to submit self assessment reports that document compliance in relation to the CSA published best practices. The CSA says that the searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher-quality procurement experiences. There are two different types of reports that the cloud provider can submit to to indicate their compliance with CSA best practices. The Consensus Assessments Initiative Questionnaire (CAIQ), a 140 question document which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings and the Cloud Control Matrix (CCM) which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in areas like ISACA COBIT, PCI, and NIST. Providers who chose to take part and submit the documents are on the ‘honor system’ since this is a self assessment and users will need to trust that the information is accurate. CSA is encouraging providers to participate and says, in doing so, they will address some of the most urgent and important security questions buyers are asking, and can dramatically speed up the purchasing process for their services. In addition to self-assessments, CSA will provide a list of providers who have integrated CAIQ and CCM and other components from CSA’s Governance, Risk Management and Compliance (GRC) stack into their compliance management tools. This should help with those who are still a bit hesitant about Cloud services. The percentage of those claiming ‘security issues’ as a deterrent for cloud deployments has steadily dropped over the last year. Last year around this time on any given survey, anywhere from 42% to 73% of those respondents said cloud technology does not provide adequate security safeguards and that that security concerns have prevented their adoption of cloud computing. In a recent cloud computing study from TheInfoPro, only 13% cited security worries as a cloud roadblock, after up-front costs at 15%. Big difference than a year ago. In this most recent survey, they found that ‘fear of change’ to be the biggest hurdle for cloud adoption. Ahhhh, change. One of the things most difficult for humans. Change is constant yet the basics are still the same - education, preparation, and anticipation of what cloud is about and what it can offer is a necessity for success. ps References: CSA focuses best-practice lens on cloud security Assessing the security of cloud providers CSA Registry Strives for Security Transparency of Providers Cloud Security Alliance Introduces Provider Trust and Assurance Registry Transparency Key To Cloud Security Cloud Security Alliance launches registry: not a moment too soon Fear of Change Impedes Cloud Adoption for Many Companies F5 Cloud Computing SolutionsCloudFucius Shares: Cloud Research and Stats
Sharing is caring, according to some and with the shortened week, CloudFucius decided to share some resources he’s come across during his Cloud exploration in this abbreviated post. A few are aged just to give a perspective of what was predicted and written about over time. Some Interesting Cloud Computing Statistics (2008) Mobile Cloud Computing Subscribers to Total Nearly One Billion by 2014 (2009) Server, Desktop Virtualization To Skyrocket By 2013: Report (2009) Gartner: Brace yourself for cloud computing (2009) A Berkeley View of Cloud Computing (2009) Cloud computing belongs on your three-year roadmap (2009) Twenty-One Experts Define Cloud Computing (2009) 5 cool cloud computing research projects (2009) Research Clouds (2010) Cloud Computing Growth Forecast (2010) Cloud Computing and Security - Statistics Center (2010) Cloud Computing Experts Reveal Top 5 Applications for 2010 (2010) List of Cloud Platforms, Providers, and Enablers 2010 (2010) The Cloud Computing Opportunity by the Numbers (2010) Governance grows more integral to managing cloud computing security risks, says survey (2010) The Cloud Market EC2 Statistics (2010) Experts believe cloud computing will enhance disaster management (2010) Cloud Computing Podcast (2010) Security experts ponder the cost of cloud computing (2010) Cloud Computing Research from Business Exchange (2010) Just how green is cloud computing? (2010) Senior Analyst Guides Investors Through Cloud Computing Sector And Gives His Top Stock Winners (2010) Towards Understanding Cloud Performance Tradeoffs Using Statistical Workload Analysis and Replay (2010) …along with F5’s own Lori MacVittie who writes about this stuff daily. And one from Confucius: Study the past if you would define the future. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8CloudFucius Closes This Cloud Canon
Well, this is the 27th entry (26 not counting the intro) in the CloudFucius Series and what an interesting ride! What started out as a cloud version of the 26 Short Topics about Security series, soon turned into an exploration of the numerous cloud computing surveys, reports, statistics and other feelings about the technology. I also intended to investigate areas of cloud computing that I was not so familiar with and there were a few areas that I was able to dig further – like Radio and the NFL. Readers really seemed to like the ‘CloudFucius’ notion and while this is the last of this series, CloudFucius is not retired. We’ll bring him back from time to time to help decipher some of those cloud surveys. Another interesting tid-bit is that a few weeks into the series, someone from the Pacific Northwest actually created a twitter handle @cloudfucius. It wasn’t me but I had great interest in that, as you can imagine. I tried contacting them several times and then within the last week or so, the account disappeared. If you are out there, give me a shout!! Lastly, I included a real Confucius quote in each entry since his words seem to resonate when it comes to cloud computing. What did I learn? While I would notice various cloud surveys during my weekly perusal of the internet, I didn’t realize that there are/were so many, so frequently. Some weeks, literally 4-5 surveys would be released covering some aspect of cloud computing – adoption, budget, compliance, deployment, effectiveness, fears, guests, hijacking, insiders, justification, PKI, litigation, management, networks, open standards, public vs. private, questions, reliability, social media, IPv6, user experience, virtualization, gaming, control, vendors and security just to name 26. Security is cited as the biggest hurdle in almost 90% of the surveys but I also found that availability, control and a general lack of understanding are also drivers in challenges to cloud adoption. I also wondered if ‘security’ is the real culprit or are IT professionals just answering with that to keep the assets in-house and under their control. I bet a little of both. The ease of shoving stuff to the cloud has made anyone with a office cube an instant IT administrator. That has brought challenges too. Those who have touched the clouds, clearly see and recognize the benefits and continue to move more assets to the cloud. Those who haven’t, are hesitant or risk averse. And then there’s the group who are either testing or investigating ways to take advantage of the flexibility, scalability, cost savings and agility. This final entry wouldn’t be complete without some reporting on the most recent cloud surveys. Hubspan reported that 64% said that 'moving to the cloud for applications, infrastructure, integration and other solutions is a strategic direction for their organization and department.' Main reasons for not moving to the cloud are lack of understanding the benefits and IT having their own way of doing things. Finally some honesty. CA Technologies recently found in their Mainframe - The Ultimate Cloud Platform? survey that '79% of IT organizations consider the mainframe to be an essential component of their cloud computing strategy.' The kicker is that they are having trouble finding and retaining skilled mainframe professionals. 44% of surveyed companies said they are "grappling" with staffing issues to manage and maintain their production systems. A new TechTarget survey of more than 800 IT pros found that SMBs are not convinced that Private Clouds are beneficial. Virtualization Decisions 2010 survey shows that while large organizations might be building and experimenting with cloud technologies, almost two-thirds said they have no plans to try the private cloud model. They have enough to do and with smaller budgets, they don’t have the luxury of experimenting with new technologies. Also, unlike most surveys, security was not the major barrier. The number 1 reason was that they really didn't need a couple key components – metered usage and department chargeback – 35% said so. Complexity and skilled staff also keep them from adopting. And just to magnify the TechTarget survey, a new Harris Interactive poll of more than 200 IT pros at large enterprises indicates a 'much broader adoption of cloud computing, and shows accelerating momentum behind developing private cloud infrastructures.' 89% said that private clouds are the next logical step for organizations already implementing virtualization. With this one, we’re also back to citing Security as the main barrier – 91% are concerned about security issues in the public cloud, with 50 percent indicating security as the primary barrier to implementation. So the survey results are in and more will arrive this week, next week, next month and into the foreseeable future as long as there are questions surrounding the cloud. I do think I covered a good portion of the survey data available over the last couple months so if you need to research cloud statistics or if you missed any CloudFucius columns, here they are in order: The CloudFucius Series CloudFucius Has: Déjà Vu and Amnesia… CloudFucius Councils: Cloud’s Love/Hate Relationship CloudFucius’ Road Trip: Oracle Open World CloudFucius Confused: Cloud Costing Companies? CloudFucius Is: Ready for Some Football CloudFucius Goes Off…to VMworld CloudFucius Repeats: Money (Really) Moving to the Cloud CloudFucius’ Money: Trickles to the Cloud CloudFucius Counts: Cloud Outages CloudFucius Corners: The Coin Operated Cloud CloudFucius Investigates: The Comeback Cloud CloudFucius Asks: Will Open Source Open Doors for Cloud Computing? CloudFucius Tunes into Radio KCloud CloudFucius Dials Up the Cloud 99 Blog Posts on the Wall... Connecting to a Cloud while Flying thru the Clouds CloudFucius Shares: Cloud Research and Stats CloudFucius Listens: F5’s Cloud Computing Solutions CloudFucius Combines: Security and Acceleration CloudFucius Inspects: Hosts in the Cloud CloudFucius Wants: An Optimized Cloud CloudFucius Ponders: High-Availability in the Cloud CloudFucius Hollers: Read All About, F5’s On-Demand IT CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist? CloudFucius Says: AAA Important to the Cloud CloudFucius Says: Blog Series, Good Idea And one from Confucius: The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 Resources: Survey Shows Cloud Is a Strategic Direction for Most Companies Mainframes Essential to Cloud Computing: Survey SMBs still unsold on private cloud Businesses will migrate to the cloud for IT delivery over the next five years, a survey indicates Cloud Computing Survey Reveals Widespread and Accelerating Enterprise Adoption of Private Clouds Mobile, cloud computing to dominate software apps, IT deliveries in next 5 yrs, says survey Security still an issue for cloud customersHas The Sky Cleared on Cloud Security?
Last year I embarked on a blog series, lead by my trusty advisor CloudFucius, that evolved into an exploration of the numerous cloud computing surveys, reports, statistics and other feelings about the technology. At the time, 4-5 surveys a week were being released covering some aspect of cloud computing and security was cited as the biggest hurdle in almost 90% of the surveys. I also found that availability, control and a general lack of understanding were also drivers in challenges to cloud adoption. Almost 6 months have passed since the last CloudFucius entry and I wanted to see if the same fears were still lingering or at least, were the current surveys reporting the same concerns from a year ago about Cloud Computing. First up, is UK based technology publication, Computing. Working with Symantec.cloud, they surveyed 150 IT decision makers and learned that as more companies embrace Cloud Computing, they are finding that the cloud solutions meet or beat, not only their expectations but also their own existing in-house solutions. While on-premise security solutions might be adequate today, as the security threats evolve, the cloud providers may have the advantage over time due to the infrastructure investments in advanced filtering and detection along with 24/7 trained staff. Last year, availability and uptime also emerged as concerns and today there is great interest in the contractual SLAs offered by cloud providers since it often surpasses what they are capable of in-house. Resiliency and disaster recovery across multiple data centers can ensure that if there is an outage in one location, the customers can still access their data. Management and control still create some anxiety but many IT teams are happy to abdicate routine maintenance, like OS patching and hardware upgrades, in exchange for management SLAs. Now that the hype of cloud services has passed and many providers are proving themselves worthy, it is now becoming part of the overall IT strategy. As the perceived threats to data security in the cloud dwindle, trust in the cloud will grow. The Cloud Connect Conference in Santa Clara also released a survey during their gathering. In that one, elasticity and speed of deployment were the top motivators to using cloud services. Elasticity or the flexibility to quickly add or reduce capacity, can greatly influence the availability of data. These folks however were less motivated by improved security or access to the provider’s IT staff. Their top concerns were data privacy and infrastructure control. I do find it interesting that last year the term ‘security,’ which can encompass many things, was the primary apprehension of going to the cloud while today, it has somewhat narrowed to specifically data privacy. That too can mean several things but areas like outsider’s physical access to systems doesn’t seem to worry IT crews as much any more. When it comes to our school/educational system, Panda Security released a study that focused on IT security in K-12 school districts. Like many companies, they must deal with unauthorized user access, malware outbreaks and admit that IT security is time and resource intensive. They do believe however that the cloud can offer security benefits and improve their overall infrastructure. 91% see value in cloud solutions and are planning to implement over the next couple years with 80% saying improved security was a main reason to deploy cloud-based security. Finally on the consumer front, GfK Business & Technology surveyed 1000 adults about cloud services and storing content in the cloud. With all of our connected devices – cell phone, computer, tablet, etc – there will be a greater demand to move data to the cloud. Not real surprising, less than 10% of the consumers surveyed fully understand what the cloud actually does. The know of it, but not what it accomplishes. With what you don’t understand comes fear. 61% said that they were concerned about storing their data in the cloud and almost half said they would never use the cloud unless it was easy to store and retrieve data. As businesses begin to feel content with the cloud, they then need to both educate and communicate cloud benefits to their consumers. So it does appear like comfort with the cloud is beginning to take hold and as cloud offerings mature, especially around security, err ah, I mean data privacy solutions, the fear, uncertainty and doubt from last year is starting to loosen and it sure seems like greater adoption is on the horizon. And one from Confucius: They must often change who would be constant in happiness or wisdom. ps Resources: CloudFucius Closes This Cloud Canon Content security in the cloud - no longer hot air Cloud-based IT Security at a Tipping Point Reader Forum: The importance of cloud computing in mobile security Panda Security Study Reveals 63 Percent of Schools Plagued by IT Security Breaches at Least Twice a Year Cloud computing: What it can do for you and your business Just Don't Call It A 'Cloud' Defining enterprise security best practices for self-provisioned technology What do security auditors really think? Private Cloud Computing No Safer than Public Cloud Survey Shows Businesses Interested, But Still Conflicted, About The Cloud Cloud Computing Has the Power to Enhance Consumer Data Consumption, But Obstacles Hinder Greater Short-Term AdoptionCloudFucius Has: Déjà Vu and Amnesia…
…at the same time! Wow, faster than you can mutter, ‘Survey Says…’ more cloud computing survey results appear. Just last week, CloudFucius reported on 4 cloud surveys which confirmed the trend of our Love/Hate Relationship with the cloud. Before the week was over, a couple more surveys reiterated our feelings toward cloud computing. We love it since it helps IT with cost control, yet we’re still very cautious about deployments due to the concerns about security and control. The results of the Eighth Annual Global Information Security Survey were released last week and once again the theme is, ‘we see the value and understand the benefits but still scared about the provider’s ability to secure critical data and IT’s ability to control access to that data. CSO, CIO and PriceWaterhouseCoopers surveyed 12,847 technology and business executives from around the world and 62% of you have little or no confidence in your ability to secure any data in the cloud. 49% have ventured into the cloud but of those, 39% still have major questions about cloud security. Sounds familiar huh? The greatest risk to their own (your own) cloud computing strategy is the ability to enforce security policies at the cloud provider’s site. Inadequate knowledge/training and IT auditing also made the list. If you remember the PhoneFactor survey from last week, the biggest security concern was preventing unauthorized access to company data. Enforce security policy and prevent unauthorized access is almost the same thing. Enforcing a security policy should prevent unauthorized access. There needs to be more specific guidelines as to what types of data are acceptable for the cloud along with how to handle regulatory reporting of data in the cloud. The CSO survey also found security concerns in regards to ‘third parties’. There is a concern about cloud vendors who use third parties to host data centers and hardware along with serious fears about our third party business partners. The vendor issue has to do with not knowing any of the people hired to work on your systems; with partners, many organizations are concerned that their own security is at risk if their associate’s or partner’s security has taken a hit over the last year. 77% felt that their strategic partners had been weakened by the recession over the last year. If you remember Verizon Business' "2009 Data Breach Investigations Report (pdf)" 32% of the data breaches implicated a business partner and in fact, the majority was due to lax security practices at the connection level from the third-party. In 2009, it was usually the third-party systems that were compromised and the attacker used the trusted connection to make inroads to the target. Since it’s coming from a ‘trusted’ authorized connection, these are difficult to detect and stop. The more things change, the more they stay the same. Speaking of surveys, Lauren Carlson, a CRM Market Analyst asked me to share her short survey with you. Software Advice, a company that reviews CRM software, is conducting a survey on their blog to see who the real leader is in CRM. And one from Confucius: Ignorance is the night of the mind, but a night without moon and star. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24 Resources: Survey: Cloud Security Still a Struggle for Many Companies Business partners a growing security concern Four Indicators That CIOs Are Ready to Embrace Enterprise Cloud Computing Cloud computing sparks corporate IT budget growth Financial services firms look to cloud, grid, and clusters to allay fears over data explosion Cloud Computing Services on the Rise, Survey Finds Early Adopters Now Running 60 to 70 Percent of Business Applications in the Cloud Can my PAN ride the LAN out the WAN? The Domino EffectCloudFucius Says: Blog Series, Good Idea
Last year I wrote a blog series called, ‘26 Short Topics About Security’ covering an alphabet soup of stories. It seemed to be well received and this year I’ve decided to do another – this time focused on Cloud Computing with ‘CloudFucius’ as my guide. Confucius, of course, was a Chinese philosopher who focused on personal growth, morals, good judgment, ethics and many other life enlightening behaviors. He lived around 500BC and is credited with, ‘Do not impose on others what you yourself do not desire,’ and many other gems like, ‘Choose a job you love, and you will never have to work a day in your life.’ First, I want to stake a claim here that CloudFucius (TM) is mine and I have started the copyright process. :-) I googled and did a copyright search for 'Cloudfucius' and absolutely nothing gets returned, which actually surprised me. 'Cloud-fucius' returns a bunch of 'fucius' stuff so I figured it’s good to take. If you do have any rights, speak up now. While I am well versed with the security stories, I can admit I'm no cloud super-expert; knowledgeable but certainly not to the level of MacVittie, Ness and the rest. While weaving in what I do know, I was thinking of investigating a bunch of cloud topics that I’m not an expert on, learn along the way and report on it. Education for all and playing off the fact that Confucius=wisdom. Hopefully CloudFucius will teach us something along the way. He’ll start next week with some easy doctrines like, CloudFucius Says: AAA Important to Cloud and in later weeks move into other areas like, CloudFucius Says: Secure Cloud is Possible. I’m looking forward to what we uncover and CloudFucius is excited to spread some cloud knowledge to the masses and someday getting a Hasbro toy and game named after him. 下 周 见 - 下 for Next; 周 for week; 见 for see/meet. ps
