If you thought you had a handle on your organization’s appetite for risk, chances are the economy has changed the dinner portions. Because the potential for saving money through the use of cloud services is real, security pros are being pressured to figure out just how risky those services are.
Ironically, one of the hardest things to assess about cloud services is their effect on regulatory compliance.
Our survey shows that compliance is the main goal of risk management initiatives, and compliance tied with internal audits as the No. 1 measurement of success. “Compliance is making people do things to stay out of jail, changing security from a ‘should’ to a ‘must,'” says Ira Winkler, CEO of consulting firm ISAG. Winkler laments that highly secure organizations have to spend on compliance testing to prove they’re secure. But, he says, “organizations lacking in security are much better off today because of compliance since they have had to establish better practices and processes.”
Companies that do security well have the same staffing and funding obstacles as any company, but they focus on managing risk and protecting data. They know their appetite for risk and they manage to it, rather than think of security as a checklist of requirements. They can’t secure everything, so they identify their most important assets and the likelihood of loss, and put programs and controls around them for protection.
If you thought you had a handle on your organization’s appetite for risk, chances are the economy has changed the dinner portions.
No, because PCI requirement No. 5 calls for antivirus protection. Using antivirus software is considered an industry best practice, but “best practices were created by the legal community to defend litigation in court so the organization can say they were following best practices,” says John Pironti, president of management consulting firm IP Architects. Both sides bring in expert witnesses, and the most convincing expert wins. Best practices aren’t worthless, but they’re not one size fits all, and are too often applied without regard to context.
The types of attacks against Heartland Payment Systems, Hannaford Brothers, and TJX took planning and expertise. They weren’t conducted by kids downloading pre-compiled tools–the types of attacks that would be stopped by companies that implement the bare minimum “best practices.” And that is fundamentally the difference between check-box security and risk management.
If you think you have risk management in hand, chances are cloud computing will shake that confidence. Assurances about data segregation, privacy, and security, while nothing new, take on added dimensions in cloud services because you don’t know where your data is most of the time. Don’t think cloud computing will affect your organization?
Surveys conducted by Deloitte’s Security & Privacy Services show that many companies already have moved to some outsourced computing “because you can’t argue with the dollars,” says Deloitte partner Rena Mears.
“Stop asking if cloud computing is going to happen.” nowing data’s location is fundamental to securing it, and the location of data may have significant legal implications.
“The first step for Chiquita,” says CIO Manjit Singh, “is to understand the regulatory requirements for every country we operate in. We then know the requirements we need to meet to protect our sensitive data internally. Then we have to ask ourselves and local authorities what an external provider needs to show to demonstrate they can protect our data as well as Chiquita.”
To do that, cloud and software-as-a-service providers have to agree to periodic security assessments by external auditors chosen by Singh’s team, and Chiquita must thoroughly understand the policy and procedures of the service provider, including who has access to the company’s data and equipment. For example, Singh points out that many providers have one policy governing their contractors and another for their own employees. The economics of cloud computing are so compelling that SaaS vendors are starting to host their applications in a cloud service.
SAS-70 is a standard that dictates how audits of service providers should be done, but the assessments cover only the operations that the provider wants covered, and often the only document you get to see is the auditor’s statement of opinion, which provides an overview of the scope of the assessment and whether the organization does what it says it does. What you don’t see, and what consultant Pironti recommends that providers not reveal, is the detailed auditor’s report, which lays out what the assessor found, including the tests performed. The challenge for CSA is to create certification requirements that don’t suffer from PCI’s snapshot-in-time problem and that are directly applicable to cloud environments.
Breach notification laws didn’t tell companies how to protect data; they just require that companies tell their customers when they’ve lost their custom- ers’ data.
Developers and testers–particularly those outside a company holding sensitive data–shouldn’t be allowed to view private data, but they have to work with valid data to test their applications and patches. Data masking, for which there are many techniques and products available, generates valid but obfuscated functional data.
http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=218100139