“The Inherent Risks of Cloud Security – Out of Sight and Out of Mind?”
Joe Granneman, Ledgerwood Associates’ Keynote Speaker on Tech Day last April, is a computer security specialist who helps the FBI with security issues — in addition to his day job! Joe is also an author, speaker, a CIO of a Chicago health care organization, and a cloud security expert. We’ve picked some excellent excerpts from his address to share with you.
“There is so much hype about moving services to the cloud. At every turn, businesses are confronted with promises that sound too good to be true. The articles and advertisements that draw businesses in with promises of cost savings and infrastructure on demand are impossible to ignore. There are many competent, capable and secure cloud services providers available. However, the profitability of these cloud service providers has drawn others into the business that may not have your best interests at heart. Even the best cloud service providers have the occasional security issue. The cloud computing model has very different risks than the traditional client-server model. How do you know what the risks are for your data and your business?”
Why is cloud computing getting so much hype? Joe lists these reasons:
- Focus on core business
- Self provisioning
- Utility pricing
- Resource elasticity
- No capital expenditure
And the risks Joe identifies:
- Data segregation
- Privacy and access control
- Disaster recovery
- Audit and investigation
- Long-term viability
- Intellectual property
- Shared attack surface
Joe then shared some jaw-dropping examples of major, recognizable institutions caught in “compromising” situations. Of the security type, we mean. For example, saleforce.com got hacked through a phishing attack and 900,000 customer records were breached. Google Groups advised users to migrate to another product if you used a welcome message, pages or files — because you would no longer have access or creation/editing rights TO YOUR OWN DATA! Facebook’s has an IP clause that reads, “you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post.”
The move to cloud computing can be successful if a business uses a thorough due diligence process to discover the risks and verify the vendor claims. Business can make informed decisions about which services belong in the cloud armed with the knowledge of these risks.
Can the risks of cloud services be mitigated?
- Business professionals should not fear cloud services
- They present different risks than traditional services but it is still information security
- Some services may be too risky or burdened in compliance to move the cloud
- Information technology should add value in the vetting of potential cloud service providers
Joe also recommends doing thorough due diligence with a procedure to define the process for a acquiring and utilizing cloud services; he recommends developing a Risk Assessment framework, and require the cloud service provider to comply with security specifications with audit documentation. Do a thorough review of financial position of the provider. Also, the cloud provider’s architecture, network diagrams, physical security, network security, host security, web security, cryptography and data ownership should all be assessed. And lastly, he stressed that cloud services require more legal and compliance knowledge than in more traditional computing models.
And one more thing – make sure ANY password you use is more than seven characters and is a non-English word (don’t use any kind of recognizable nouns or verbs.) Hackers can crack a password like that in six seconds or less!
Interested in moving your Sage CRE software to the cloud? Try a 30-day free trial of TimberCloud, a solution designed specifically to host Sage 300 CRE (formerly Timberline). Or, call Tony Merry at 480-423-8300 to find out more.