Home Create Watch Help News Mobile Login

How Do You Secure the Clouds?

WGU Information Security Bloginar Series

  • Cloud Control - A perfect storm is coming, one that pits security
    groups against business leaders desperate
    to contain costs. Can we find a middle ground?
    by Bob at 11/4/2009 4:10:29 PM
  • A recent article in Information Week identified 5 fast fixes to the security/governance problem of clould computing. See below. What do you think?

    1. Define Your Governance Needs
    Are they internal, external, legal? List the
    requirements and how they’re satisfied.
    2. Classify Your Data Before you can
    determine what data you can safely put in
    the cloud, you first have to classify and
    label it according to sensitivity and type.
    3. Choose Wisely Identify cloud vendors
    that can satisfy your processing and
    governance needs.Direct business leaders
    to walk away from the rest, no matter how
    attractive pricing is.
    4. Set Limits Define what the service
    provider can do with your data.Prohibiting
    the outsourcing of processing to a third
    party without your consent is basic.
    5. Put Rules In Writing Publish policies
    and procedures stating which cloud
    vendors can receive which types of data.
    by Bob at 11/4/2009 4:20:08 PM
  • Cloud computing for some applications makes perfect sense in that it is cost effective in times when saving costs is critical, especially for small and medium sized businesses. However, large companies like Amazon are leading the charge on development and expansion of cloud computing. There are some experts that are predicting that cloud computing may in fact turn out to be as large a tren as off shoring.
    by Jackie Brewer at 11/4/2009 4:23:47 PM
  • Why is Mike Culver of Amazon and other large corportations interested in cloud computing?
    by Jackie Brewer at 11/4/2009 4:24:21 PM
  • Handing over control of a company's computing assets to another company seems inherently unsafe to me. Why should we trust one company to run all that, even if they have a good reputation?

    More over, what are the legal implications for this data?
    by Kathleen Swineford edited by Bob at 11/4/2009 4:28:19 PM
  • Amazon's primary goal is to take the fixed cost out of computing! To that end, Amazon has spent over 2 billion dollars during the last decade building the infrastructure, technical and operational knowledge creating Amazon Web Services. Mike Culiver of Amazon's web services is a techical cloud computing evangelist. He joined Amazon in 2006 and before that he had the same role at Microsoft.
    by Jackie Brewer at 11/4/2009 4:28:21 PM
  • Amazon's primary goal is to take the fixed cost out of computing! To that end, Amazon has spent over 2 billion dollars during the last decade building the infrastructure, technical and operational knowledge creating Amazon Web Services. Mike Culiver of Amazon's web services is a techical cloud computing evangelist. He joined Amazon in 2006 and before that he had the same role at Microsoft.
    by Jackie Brewer at 11/4/2009 4:28:22 PM
  • Kathleen has a good point. Bob, Jackie, thoughts on that?
    by Gwen Britton at 11/4/2009 4:30:18 PM
  • In a conventional outsourcing arrangement, the customer can negotiate control over the location of its data, including where backup operations will be conducted. This knowledge allows the customer and provider to know which regulatory schemes apply and to comply with the relevant data transfer laws. Outsourced cloud computing, however, can be delivered at a cost-effective price because the provider can move data around the world, perhaps splitting it up and sending it to different locations, depending on capacity, use and bandwidth. This freedom may result in non-compliance with the myriad worldwide regulations pertaining to storage and transfer of data.
    by Bob at 11/4/2009 4:32:08 PM
  • Mike Culver has developed ten web services at Amazon, with 3 of them being the most critical. First Amazon Elastic cloud (Amazon E2) offers on-demand virtual comuting capacity. Second, Amazon Simple Storage Service that provides a secure, redundant data storage, and Amazon Simpole Queue (SQS) provides a way to push messages between applications.
    by Jackie Brewer at 11/4/2009 4:32:40 PM
  • I agree with Kathleen. For most companies, data security and data protection are the biggest barriers to outsourcing cloud computing for any applications that involve sensitive or confidential data.
    by Bob at 11/4/2009 4:35:11 PM
  • Kathleen, good points! With outsourcing going to companies that specialize in specific areas such as healthcare radiology, then those companies usually have the best knowledge of the applicable laws such as HIPPA for the niche market they serve. Outsourcing can in fact be the best option for a company to get the best solution at the lowest cost with a company that has the strongest regulatory and legal knowlege.
    by Jackie Brewer at 11/4/2009 4:35:21 PM
  • So, because the data is so dynamic within a cloud computing environment, it is worth the subscription price of using the cloud? Using a cloud seems like a redundant service, in that you pay for something that you would do anyway within the company...
    by Kathleen Swineford at 11/4/2009 4:37:27 PM
  • Pardon the ignorance, but why would an online retailer invest heavily in cloud computing? Also, considering the nature of Amazon's business, what implications would that have on PCI compliance?
    by Justin Farmer at 11/4/2009 4:37:47 PM
  • Cloud Computing is a solid system with several failovers. With the heavy application loads servers must handle, an organization like Amazon can let a cloud computing company handle that. It is the same as off shoring, or outsourcing really. We are outsourcing application and data processing--correct me if I am wrong, I am new to cloud computing.
    by Josh at 11/4/2009 4:38:53 PM
  • Instance Types
    Standard Instances

    Instances of this family are well suited for most applications.

    * Small Instance (Default) 1.7 GB of memory, 1 EC2 Compute Unit (1 virtual core with 1 EC2 Compute Unit), 160 GB of instance storage, 32-bit platform
    * Large Instance 7.5 GB of memory, 4 EC2 Compute Units (2 virtual cores with 2 EC2 Compute Units each), 850 GB of instance storage, 64-bit platform
    * Extra Large Instance 15 GB of memory, 8 EC2 Compute Units (4 virtual cores with 2 EC2 Compute Units each), 1690 GB of instance storage, 64-bit platform
    by Josh at 11/4/2009 4:39:20 PM
  • I think that contracts with cloud outsourcing providers will require more due diligence and involve less negotiation of terms and conditions. Customers should be concentrating on whether the cloud solution keeps them in regulatory compliance, and ultimately customers will rely on the provider's documentation of its solution as being compliant (either directly - as with a software release for banking or healthcare software - or indirectly, as in defining with specificity the locations where data will be stored). Consequently, a failure of the provider to keep the customer in compliance could be a failure of the service to comply with its own specifications, and result in a contractual damage remedy.
    by Bob at 11/4/2009 4:39:24 PM
  • Justin, for e-retailers, cloud computing offers the best investment of dollars and provides overall a safe and secure virtual environment for customers. Amazon may be leading the charge with this area, but they are certainly not alone in wanting to capture a large share of retail sales.
    by Jackie Brewer at 11/4/2009 4:39:46 PM
  • Have there been any prominent legal battles or notable security compromises in public or private enterprises as a result of an organizations cloud solutions?
    by Jim at 11/4/2009 4:40:08 PM
  • Josh, you are exactly correct regarding the legal liability issue for a healthcare organization. If there is a mistake made, the buck stops with the outsource company. :)
    by Jackie Brewer at 11/4/2009 4:41:03 PM
  • Though, I can see something like this being beneficial for start up companies that don't yet have the resources for data management.
    by Kathleen Swineford at 11/4/2009 4:41:06 PM
  • On the other hand, from a legal standpoint it is easier to rely on a company that is supposed to follow regulations like HIPPA, instead of waiting for an internal employee to make the mistake that causes a huge lawsuit
    by Josh at 11/4/2009 4:41:35 PM
  • Jim, yes there have been some instances but as cloud security improves they have become farther between and certainly not with the same public negative impact that accessing customer financial data caused companies.
    by Jackie Brewer at 11/4/2009 4:44:20 PM
  • I would be concerned that most startups do not have a governance policy that would provide the security and protection in the cloud.
    by Bob at 11/4/2009 4:46:01 PM
  • One risk basically relates to the "management" of the utility by the end user. The end user must still manage the resource actively
    by Dwayne at 11/4/2009 4:47:08 PM
  • Josh, but if the outsourced company makes a mistake, the data is still loose, regardless of who is at fault.
    by Kathleen Swineford at 11/4/2009 4:47:22 PM
  • I have seen a lot of flak thrown at Google for their availability issues with Gmail and Google Apps, its amazing how a few mishaps can mar the image of could computing as a whole
    by Josh at 11/4/2009 4:47:36 PM
  • As we saw with the Postini outage last month, even Cloud based computing cannot manage 100% uptime. With that in mind, why not leave these kind of critical systems in-house so that customer expectation can be properly managed?
    by Erik edited by Jackie Brewer at 11/4/2009 4:47:57 PM
  • Erik, especially smaller and mid-sized companies cannot afford the resources, so leasing the cloud from a company that outsources makes much better economic sense to stretch IT dollars as far as possible in the troubled economic times we have now.
    by Jackie Brewer at 11/4/2009 4:48:45 PM
  • If you're thinking about cloud computing, the military would probably not be at the top of your short list. In fact, the Navy is working with Amazon and Security First Corportation in using commercial based infrastructure. Why would the Navy be working with a company like Amazon for commercial cloud computing? Would the Navy be able to effectively secure cloud computing?
    by Jackie Brewer at 11/4/2009 4:52:45 PM
  • IT is a utility, and management goes for the cheapest utility bill, while maintaining an acceptable level of service, 98% uptime is great if it saves your company thousands of dollars...
    by Josh at 11/4/2009 4:53:17 PM
  • That attraction for smaller companies could be an avenue for fraud if they don't do the research.
    by Kathleen Swineford at 11/4/2009 4:53:21 PM
  • The Navy wants to use cloud computing to improve and support humanitarian assistance and military disaster relief operations.
    by Jackie Brewer edited by Gwen Britton at 11/4/2009 4:53:44 PM
  • Being new to cloud computing, I'm still concerned with security. How is the channel between the service provider and customer secured? Is this more like a VPN between the two?
    by Justin Farmer at 11/4/2009 4:54:18 PM
  • What is the impact of cloud computing on k-12 education?
    by Gwen Britton at 11/4/2009 4:54:30 PM
  • Actually according to the Pentagon the military can offer a more secure cloud computing infrastructure than commercial companies can. The Navy uses cloud computing when deploying ships to relief areas for aid to affected regions such as from an earthquake or civil war.
    by Jackie Brewer at 11/4/2009 4:55:55 PM
  • So is the Navy outsourcing this, or creating a military based cloud, that only the military has access to?
    by Kathleen Swineford at 11/4/2009 4:58:37 PM
  • I have a hard time believing that the Navy will be able to securely use cloud computing...though if it not used for security or privacy data, maybe it would work.
    by Kathleen Swineford at 11/4/2009 4:58:43 PM
  • Gwen, there are virtual elementary schools that utilize cloud computing offered by vendor companies. One such virtual school is Elkhart Cyber School www.onlineecs.org I think in the coming years there will be a strong growth of virtual elementary schools. ECS used to be the only one approved by Kansas Board of Education and now there are 12 in Kansas alone that are approve public schools.
    by Jackie Brewer at 11/4/2009 4:58:47 PM
  • Are Is any federal or state government agencies utilizing any cloud computing? How about law enforcement agencies?
    by Bill at 11/4/2009 4:58:47 PM
  • As a note to justin: Google offers https connections with all of their popular services - docs, calendar, etc.
    by Jim at 11/4/2009 4:58:53 PM
  • Kathleen, a combination of both. For militarty operations the Navy uses the miltary cloud. For civilian based relief efforts they are working with commerical based companies.
    by Jackie Brewer at 11/4/2009 5:00:14 PM
  • Kathleen, The Governemnt seems to accept the concept of internal clouds on DoD networks and is playing with them. DISA is interested in hosting these cloulds internally.
    by Bob at 11/4/2009 5:00:31 PM
  • Bill, yes there are and with the infusion of money from the government, I expect to see more government - federal and state use cloud computing.
    by Jackie Brewer at 11/4/2009 5:01:54 PM
  • Maybe this is ignorance talking, but it seems like an internal cloud would be much more secure than an outsourced cloud. Is this a correct assumption or no?
    by Kathleen Swineford at 11/4/2009 5:02:09 PM
Who's Blogging
  • Jackie Brewer
  • Erik Jorgensen
  • Dan
  • Gwen Britton
  • Bob
Translate
Pick a Language
Translate this event into one of these languages on-the-fly:
English, Français, Italiano, Deutsch, Español, Norsk, русский, 简体中文, Dansk, 日本語 Nederlands, Português, Svenska, 한국어, हिन्दी, العربية, hrvatski jezik, עִבְרִית, suomi, ภาษาไทย

powered by Google

Options
Comments

Turn viewer comments off and on.
Turn comments off

Share
Twitter
Tweet this event!
Social Bookmarks
Bookmark and Share
RSS
Subscribe to this live blog via RSS