As More Services Move To The 'Cloud' What Does It Mean For IT Security?
from the an-upcoming-webinar dept
While the term "the cloud" is still pretty loosely defined, there's no doubt that more and more services are being offered over the internet, and many of those are enterprise-type offerings. For example, lots of well known companies are using Google docs, and Salesforce.com has really become quite the standard in many, many places for any type of CRM/Salesforce automation. But what does that mean for IT folks, who are used to having full control over the technology being used by employees? How can they make sure that the services that employees are using are secure and protected? And, for companies building their own online services that they hope will be used in enterprises around the globe, how should they best prepare to build a system that meets the security requirements of in-house IT staff? On top of that, beyond traditional "technology" security, there are serious legal security questions as well. How protected, legally speaking, is the data stored in the cloud? Is it covered under different laws? And do the answers to these questions depend on if you're "webifying" legacy systems as compared to building entirely new systems?Well, we're hoping to answer a bunch of these questions with a new webinar that we're putting on next Tuesday, May 11th at 9am PT/noon ET (register here), as a part of our ongoing IT Innovation series -- sponsored by Oracle and Intel. I'll be moderating the discussion, and the discussion will be led by two of the most knowledgeable folks I know on this topic: Jake Kaldenbaugh of CloudStrategies, and formerly an exec at NEC, where he drove early strategic efforts focusing on virtualization and cloud computing, and Sam Quigley of Emerose, a leading expert on cloud security, who previously was a founding member of EDS's security and privacy services group, an open source developer at security appliance vendor Astaro, the sole security person at Xign (which became JP Morgan Treasury Services) and Vice President of security and operations at Wesabe, the online financial startup.
The webinar will consist of a brief presentation, followed by discussion -- and we're hoping to make it as interactive as possible, so come ready with questions. If you'd like to attend, please register now!
Separately, it's worth noting that we recently refreshed the IT Innovation website, to reflect that it's sponsored by Oracle and Intel (Oracle taking over from Sun following the acquisition), and we've also refreshed the resource center with a series of new whitepapers, including (but not limited to):
- Best Practices for Managing Datacenter Costs via Application and Server Consolidation
- Why Solid-State Drives Usage Scenarios Are Expanding for the Datacenter
- New Blades and Networking Solutions Ensure Solid Return on Investment
- Reassessing Server Costs for Midsize Companies
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cloud computing, cloud security, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
As per usual, the claims of the infamous anonymous commenter are wrong. Our two largest userbases are 18-34 and 35-49. The 13-18 part of our readership is actually well *below* standard, representing less than 10% of our readership.
http://www.quantcast.com/techdirt.com/demographics
According to that data (our own actually shows even lower teen usage), over 18 represents 89% of our userbase. Suggesting that it's a site for teens, isn't just wrong, it's monumentally offbase.
But, you know, facts and details aren't that particular commenter's strong suit.
Let's see if he'll admit he's wrong. He's never done it before.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I would take that data with a very large grain of salt, Mike.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Perhaps. And if that's the case then the data would be even MORE in the direction we claimed. But, as I said, we don't rely on that data. I just used it because someone wanted public data. We also collect our own data, and it actually reflects Quantcast's as well.
protip: I block it across all sites, and you have no fucking idea what age I am.
Good for you.
I would take that data with a very large grain of salt, Mike.
Did you not read the comment where I pointed out that we had our own data as well?
[ link to this | view in chronology ]
Re:
Truly spoken like an older person. In my experience, young people are the ones MOST interested in technology, including business technology. I know I certainly was when I was a teenager/early 20's...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
-- Eric Schmidt, paraphrased.
[ link to this | view in chronology ]
Re:
"If you have something that you don't want anyone to know, maybe you shouldn't be using Google or Facebook."
-- Eric Schmidt, corrected.
The Cloud offers the potential of much more robust information security than individually managed PCs and local enterprise networks. Don't confuse the Cloud as a platform with current Cloud applications. That's like saying PC security is shitty because IE6 is full of security holes.
[ link to this | view in chronology ]
Re: Re:
This may be true for the average intarweb user ...
however, there are many out there with sophistication which far exceeds the simplistic security employed by cloud computing offers. I will keep my computing needs local, thank you.
[ link to this | view in chronology ]
I'll answer this for you right now
2. The cloud does not provide any level of guarantee (that is financially backed) that your data is secure. They should *all* provide money where their mouth is: secure your data or pay a fine per resource stolen/accessed. But none do. This is telling.
3. If you do not maintain physical control of your data, access to data, then your data is not secure; period. Can the cloud allow you to walk to the machine and pull the HDD? Then it isn't your data.
4. Look at the Google Gaia breach. For all we know Google and 20+ companies out there are hacked and someone else is running root on them. Let me emphasize this: Google and 24 anonymous companies experienced breaches and do not tell you the extent. If a company that takes security seriously like google and holds your data gets hacked, you can bet your ass small cloud vendors have as well. I barely trust Cisco router IOS's, let alone the cloud on the other side.
The cloud is a joke for any business or person that values their data staying secure.[ link to this | view in chronology ]
Re: I'll answer this for you right now
IT departments fought like hell against cell phones and smart phones. When employees purchased their own and started expensing them, IT departments then were forced to incorporate them, add security policies, negotiate corporate deals, etc. VERY FEW IT departments ever said "here is some cool new technology, let's use it!"
You talk about Google as though Google is the cloud. It isn't. Google is a search company that scatters mediocre apps to the wind to see what happens. They are not a benchmark of quality for ANYTHING except search and search-based ads. How about the Telecom companies? They are all Cloud-based. They now offer SIX 9s availability for regulated services because if they don't, they have to report it to the FCC. But they move slowly and don't 'get' todays business needs. My point is that the Cloud is a platform that offers much higher security to an enterprise than rogue PCs and local Enterprise servers... but you have to implement wisely, according to what your business requires, which few companies do.
[ link to this | view in chronology ]
Re: Re: I'll answer this for you right now
[ link to this | view in chronology ]
Re: Re: I'll answer this for you right now
I was the first person in the company with a smartphone, and we immediately approved it for wide distribution with heavy encryption on the device and wirelessly, and remote wipe, no texting or other way of getting the data through the phone other than through our internal systems. Smartphones aren't a critical holding place where work gets done, at least yet.
Telecoms(nonwireless, mind you) can offer 6 9's because the technology has been around over 100 years. Note that telecoms break when there are disasters, like the SFO earthquake, New Orleans, NY Terrorism. All three of those areas experienced outages of one type or another communication-wise.
Google and Amazon are the premier players in cloud-based services, that much isn't under contention, and neither have had 5 9's on critical cloud platforms since inception. Neither backs it up with $ either, just refunds. I know companies with frequent outages on their Google Apps Domain, but those outages simply aren't reported by Google on their dashboard. Put your money where your mouth is.
[ link to this | view in chronology ]
"As More Services Move To The 'Cloud' What Does It Mean For IT Security?"
Don't get me wrong, it's not that I don't like indian food, it's just that the spices mess up my sinuses, and I have a weak immune system that prevents me from being able to take a prescription.
I'm *not* racist!
[ link to this | view in chronology ]
Everyone's looking for a deal!
http://www.donkeyonawaffle.org/OMB%20briefing%202008%2001%2011%20a.ppt
[ link to this | view in chronology ]
The Cloud offers the potential of much more robust information security than individually managed PCs and local enterprise networks. Don't confuse the Cloud as a platform with current Cloud applications. That's like saying PC security is shitty because IE6 is full of security holes.
But only the potential - web services are often managed by the cheapest staff a company can find to do it - not always, but how would you know?
I certainly wouldn't trust anything 'important' to a third party, personally.
It's true if you really need to secure something - it's best if it never comes in contact with the internet.
That's what really amazes me when it comes to Government/Industry and the so called 'critical systems' and their supposed 'vulnerabilities' - they shouldn't put stuff like that on the web at all.
Where I work, all the crucial process control machines are on their own isolated networks - if you want to hack them, you'll need to be at the site physically. Still intrinsically more secure than something on the web that way, even if the password is 12345 - because physical presence is a requirement to even get to a password prompt.
[ link to this | view in chronology ]
Re:
I won't argue this. But that means the company is the weak link in the chain, not the Cloud. These same underpaid employees have even more opportunity to compromise and abscond with data that is store locally.
I certainly wouldn't trust anything 'important' to a third party, personally.
You just said you wouldn't trust your lowest-paid employees, not you say you wouldn't trust a third party that lives or dies based on being secure. Which is it?
It's true if you really need to secure something - it's best if it never comes in contact with the internet.
This is a huge myth. Network-level security, authentication, and encryption offers a more robust security solution than local versions. I'm not saying that the available services deliver that, I'm saying that the Cloud offers that potential. Don't confuse the Cloud with the available services.
[ link to this | view in chronology ]
Re: Re:
Sheesh.
Anyone with an ounce of pessimism knows that the terms and conditions upon your "cloud" data will change without notice and your data will be available to the highest bidder. Please stop with the BS
thank You, The Internet
[ link to this | view in chronology ]
Re: Re:
How can you say such a thing when there are hundreds of vulnerabilities discovered every month in said systems? DNS alone, SSL cert-signing alone, both have serious deficiencies that have not been addressed internet-wide, let alone locally.
Look at IBM: They don't connect anything critical to the Internet, they do as the previous poster suggested and you must be on a specific network to access it and have NO INTERNET CAPACITY to do so. They have several "ringed" networks like this that restrict what can and cannot access critical data. I don't see them changing this just because cloud computing tells them to.
[ link to this | view in chronology ]
Re: Re:
How can you say such a thing when there are hundreds of vulnerabilities discovered every month in said systems? DNS alone, SSL cert-signing alone, both have serious deficiencies that have not been addressed internet-wide, let alone locally.
Look at IBM: They don't connect anything critical to the Internet, they do as the previous poster suggested and you must be on a specific network to access it and have NO INTERNET CAPACITY to do so. They have several "ringed" networks like this that restrict what can and cannot access critical data. I don't see them changing this just because cloud computing tells them to.
[ link to this | view in chronology ]
IT security in the cloud? Be afraid
[ link to this | view in chronology ]
A long way to go...
I agree with Sophie, it's just a scary thought...
[ link to this | view in chronology ]