By Steven Wolford, Director of Information Security, 6fusion
No, I’m not really calling you stupid, but it’s a great hook for helping us remember what is really important in information security, up to and including security in the “cloud”.
James Carville, like him or lump him, correctly identified the concerns of the voting public in identifying that “it’s the economy stupid” as he helped craft the message for Bill Clinton’s presidential campaign in 1992. If only I could be so eloquent and concise I would not have to rip him off.
Carville hung up a sign in the Clinton headquarters in Little Rock with just three little phrases:
- Change vs. more of the same
- The economy, stupid
- Don’t forget healthcare
The risk, stupid
Stupid. Sounds so degrading; so derogatory. How on earth do you come up with that? I have to rely on my southern heritage to understand it is not intended to be an insult. No, the term stupid means you just forgot what is important and lost focus on what really makes an impact.
Security is about risk management. Period. Don’t lose sight of the fact that what you are doing when you create all of your policies, processes, and technical controls is managing risk to your data.
Thanks again Brother Carville. It is time to realize that information security isn’t firewalls, intrusion detection, or anti-virus. Throw that notion an anvil.
Certainly use those things when and where appropriate but not until after you have done the work to identify the risk that you are attempting to manage. And there we go again. We already forgot that managing risk is the key to information security.
And away we go!
Interesting, but what does that have to do with cloud provider and cloud consumer relationships? Cloud consumers must make the conscious decision begin understanding the risks to data they want to move into the cloud. Begin by looking at the last risk assessment you performed for your existing internal data and information systems. You have done that, right?
Use the identified risks as discussion points with the provider. How will they limit access to systems (not everyone should be administrator), what is the incident response plan, etc. For each risk identified for your existing internal system figure out how that risk is addressed at the provider.
What are some of the most identified risks for cloud computing?
According to the Cloud Security Alliance, here is your list of top security concerns:
- Abuse and Nefarious Use of Cloud Computing
- Insecure Application Programming Interfaces
- Malicious Insiders
- Shared Technology Vulnerabilities
- Data Loss/Leakage
- Account, Service & Traffic Hijacking
- Unknown Risk Profile
The same risks and mitigation strategies that exist in your internal IT environment are no different than when you are using cloud services. The approach is the same but the scope of coverage will vary. Some of the risks are yours to mitigate, some are the cloud service provider’s responsibility.
The main idea here is to have a plan. Know the risks to your data and who will do what to reduce those risks to an acceptable level. Once you have that you should be able to rest comfortably, knowing that your data is at no more risk in the cloud than in your facility. And always remember – it’s the risk, stupid.