P. 1
eBook Cloud 9316

eBook Cloud 9316

|Views: 6|Likes:
Published by Lalaiah Yatakula

More info:

Published by: Lalaiah Yatakula on Aug 26, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/26/2012

pdf

text

original

Brought to you by the publishers of

COMPLIANCE WEEK

INSIDE THIS PUBLICATION: Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud

Mobile and Cloud Computing
An e-Book publication sponsored by

Improving Data Security for

Products include True BusinessID with Extended Validation SSL Certificates. we actively leverage our diverse institutional knowledge. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. Founded in 2002. code signing. GeoTrust. Multi-Domain Certificates. My Credential Certificates. a monthly print magazine. technology. audit. and Enterprise SSL. a leading certificate authority. legal.000 professionals in 151 countries. Compliance Week has quickly become one of the most important go-to resources for public companies. PwC has been providing professional IT and compliance services for over 100 years. and brand. industry-leading events. and VeriSign Certified Document Solutions. and a variety of interactive features and forums. Quick SSL Premium Certificates. risk. Compliance Week now reaches more than 26. risk. developing. With strong industry credentials and more than 163. secure email. and enterprise SSL products. proprietary databases. UC/SAN SSL certificates. and implementing tailored solutions for clients—both within the technology sector and across all industry sectors. Our professionals are recognized throughout the industry for their innovation in analyzing. and security professionals you can trust to help you see through the clouds and protect your assets. and compliance that features a weekly electronic newsletter. audit. True BusinessID SSL Certificates. As broader enterprise adoption of cloud computing technology emerges.2 e-Book A Compliance Week publication Compliance Week is an information service on corporate governance. experience and solutions to provide fresh perspectives and significant value for our clients. provides retail and reseller services for SSL encryption. and website authentication. you need IT. and compliance executives. Wildcard SSL Certificates.000 financial. . digital signatures.

3 Inside this e-Book: Company Descriptions Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud 2 4 6 10 12 18 .

“The BlackBerry was a business instrument that maybe you did some personal stuff on. from a political standpoint to use compliance to say.” adds Ottenheimer. “Unfortunately the developers of mobile applications and the cloud services that support them did not bake compliance and security into the solutions.” Dakin recalls sitting on a flight recently beside a fellow passenger who was frantically pounding out an executive briefing filled with sensitive sales data on a brand new iPad. co-author of “Securing the Virtual Environment: How to Defend the Enterprise Against Attack. and to make sure the devices that are brought in meet our compliance guidelines.” Launched in 2010. Some IT security experts say that companies can allow a BYOD approach and still maintain some security standards. and run with. ‘You can bring your device. “[In the past] they have been able to put policies in place . According to Dakin. No longer content with just a company-issued desktop or laptop. they will be productive. The other 40 percent? We have no clue. “I think the rapid change caught developers and enterprise IT off guard. an information technology governance. A Embracing BYOD study of 600 U.’” he says.” the study’s authors wrote. not that many people really bought a BlackBerry themselves. has no idea what the access controls are. maker of that longtime business staple the BlackBerry— companies are increasingly embracing a “bring-your-owndevice” workplace. these same “market transitions” led to a decision to cease development of its Cius tablet. to protect our assets.” he says.” While some companies are embracing the BYOD approach—happy to let employees bear the cost of hand-held devices—others are clamping down on the practice out of security concerns. According to the study. Rege says. has no idea what data is being addressed. “IBM has a lot to lose if Siri is actually leaking data out.” says Rick Dakin. president of information security firm Flyingpenguin.” Companies have already looked at issues like encryption and password protections. a company that provides enterprise management and security for mobile devices and apps. “Companies have to find a way. most companies don’t even realize the security risks they are taking when they allow employees to use their own electronic devices. like iPhones. and compliance firm. “The IT department of that enterprise has no idea what he is doing. vice president of strategy for MobileIron. IBM recently evicted Siri from its workplace and banned employees from using their own devices. no idea how that data is being transported. the enterprise-focused tablet found itself struggling to draw market share away from the consumerlevel devices being integrated into the workplace. it is more than bringing your own device to work. I can provide evidence that we have compliance on these rigorous data protections and intellectual property protection policies that you set on 60 percent of our devices. IT and business leaders conducted in May by Cisco finds that more companies are embracing BYOD.” he says. Eighty-four percent of IT departments not only allow employee-owned devices.S. “IT is accepting. “If you give employees a workspace that they are able to own. it is managing compliance in the post firewall era. in self defense.” says Davi Ottenheimer.4 e-Book A Compliance Week publication Risks and Benefits of Employee-Owned Devices By Joe Mont F ueled by the popularity of the iPhone and iPad—and aided by the uncertain future of Research in Motion. and in some cases embracing.” Ottenheimer says. Mobile computing has “dramatically changed how we exchange data. but we will hold you responsible and we will take action. using the airplane’s insecure WiFi—a scenario he says is far too common. The trend toward BYOD has both helped and hurt Cisco. For example. CEO and co-founder of Coalfire. enterprise-level security. employees are looking to thumb their way through e-mail and what is often sensitive company data whenever. In a way. and has no ability or access to wipe that iPad should he lose it. but also provide some level of support and 36 percent of those surveyed say enterprises provide full support for employee-owned devices. “I think the BYOD discussion is going to come down to how much you can get away with before you introduce harm. particularly when it comes to privacy issues. In May the company announced that while the trend has led to “tremendous interest” in its Jabber and WebEx collaboration software. to view company data.” Ottenheimer says. IBM cited concern over the way Apple’s data pipeline between users and the voice-activated “personal assistant” could compromise security. ‘Well. What they haven’t done as well is to bridge the gap between implementation and policy. The trend has forced companies to weigh the benefits of a happy. they choose on devices they purchase themselves. BYOD as a reality in the enterprise. productive workforce with security issues and regulatory requirements. The same trends haven’t been kind to BlackBerry. The role has reversed. What’s changed now is that every individual wants a smartphone or a tablet and it is a personal instrument that they are also going to do business on.” says Ojas Rege. risk. 95 percent say their organizations permit employee-owned devices in some form in the workplace. “Can you imagine being the internal auditor and going to your board of directors and saying. that are more consumer focused and don’t offer robust. But on the flipside you are also introducing so much more risk. like Dropbox. and wherever. IBM also bans cloud-based services. “In the old days.

with a personal device that is being used for business. Source: Cisco. you don’t get access to anything.” Rege says. they just need to plan for it and execute for it. with that firewall mentality of a hard candy outer shell with a soft. “I think there are going to be some new models for how a compliance team is structured and how the relationship with whatever regulatory body is managed on a daily basis. they don’t need to fear migration to mobile.” he says. you only get access to e-mail and not an application with financial data. gooey inside. so anything they do on the security side that breaks user experience will just lead that well-intentioned user to go rogue. They then need to assess what could happen to a mobile device that might pose a threat to corporate data. privacy becomes relevant. That’s really where their education stopped. “They will just go around it. is to identify the baseline for corporate data protection. “Most companies have not.” Rege says. gets access to all my enterprise resources. “Unfortunately.” Ottenheimer predicts that these issues will gain more focus as younger people. “If the trust level of that device drops. “There are a lot of companies that are worried about moving forward with next-generation mobile apps because they are not sure how to handle their compliance teams and regulators in a way that gets everyone to a place where they need to be. which has defined characteristics. In a BYOD setting. companies also need to navigate regulatory hurdles.5 without really having to consider the impact of privacy. “Security is an enterprise worried about losing its data. but from two very different perspectives. Privacy is a user worried about losing his or her data. If the trust level drops even more. says Dakin. Similar to how companies deploy data classification programs. “The early wave of security was all about firewalls and intrusion prevention because the bad guys lived in Russia and they were going to attack us over the Internet. “The mind shift compliance and security teams need to have is that the user experience is fundamental. “You can say that a highly trusted device. the ones who allocate the capital.” he adds.” Updating security policies to adapt to mobile devices is another important step.” Dakin says. such as its location or behavior pattern.” Beyond users. It is exactly the same problem. enter government. don’t understand the technology. raised on technology. Internal audit requirements also have to be updated to account for mobile computing. users can have privileges reined in based on their mobile devices’ trust level.” he says.” Rege says. suddenly. “We are transitioning into the era of the tech-aware regulator. . many of the business decision makers. because the solutions are there. ■ The following graph from Cisco shows what is trending now for mobile devices. such as a lost phone or a user who removes password protection. “It is a question of raising the awareness.” He says the trust level of a particular device can be changed through the day depending on its characteristics. Rege says.” he says. User experience will actually MOBILE DEVICE TRENDS trump your security policy.” T Protecting Data he first step for companies looking to adapt to BYOD demands.

business-critical data is paramount. Of particular concern are the risks associated with using a public cloud.7 billion this year to $241 billion by 2020. Inc. availability. report on. but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users. 2011 Cloud providers promise certain levels of availability and uptime. 2 Protecting sensitive.” January 2012 compliance with regulations. “2012 Global State of Information Security Survey. 29. partners. but it can mean giving up some control over these risks. It is no surprise that cloud computing is the fastest-growing trend in enterprise technology today—and for the foreseeable future. Inc. they remain concerned about the risks associated with cloud computing. companies need transparency into how well cloud providers’ environments address their concerns. or critical transaction processing to the cloud.” September 2011 3 PwC. independent reporting solutions to address the trust gap between providers and users—may be part of the answer.KNOWLEDGE LEADERSHIP Establishing Trust in Cloud Computing By Sharon Kane and Cara Beston Cloud Value Proposition Cloud computing has unprecedented potential to deliver greater business agility and flexibility while lowering IT costs. Forrester Research. Plummer.4 Third-party assurance may be the catalyst companies need to embrace cloud computing with greater confidence. employees. data intensive. and business processes. 2 This is no surprise given the results of our 2012 Global CEO Survey. 62% of respondents who outsource IT say that data security in the cloud is a serious risk.. 1 Forrester Research.519.. Risks with Cloud Computing Some of the risks associated with cloud computing include the following: » Security: In a recent PwC survey. et all. In PwC’s 2012 Global Information Security Survey of more than 9. This is an especially relevant concern for companies considering moving high-volume. 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service.600 security and IT leaders. 2012 and Beyond: Control Slips Away. Moving to the cloud can provide unprecedented benefits. and meeting stakeholder commitments are essential to a company’s reputation. and regulators—to manage risks. As such.COM » 888. WWW. but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users. many business leaders are concerned about how they will address the issues that surface in every conversation about the cloud: security. data privacy and integrity. You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data is accessed by other cloud users or hacked. Gartner. data privacy and integrity. an independent and objective organization delves into a cloud provider’s environment to identify and test controls that govern the ability to deliver promised levels of service along with sufficient security. and compliance. applications. which indicated 31% of CEO’s expect a significant change in strategy related to the adoption of new technologies like enterprise mobility and cloud computing over the next three to five years.” Daryl C. Inc. customers. 41% of respondents said their organization has implemented some form of cloud computing. “Summary Report for Gartner’s Top Predictions for IT Organizations and Users. they can’t outsource their obligations—to investors. “Sizing the Cloud. While businesses can outsource their systems. predicts the global cloud computing market will mushroom from $40.” April 2011 2 PwC. and compliance.COMPLIANCEWEEK. With third-party assurance. In an era where corporate governance. 3 While most CIO’s now consider cloud computing mature enough for some level of adoption within the enterprise. Third-party assurance—that is. predicts that by 2016. » Availability: Cloud providers promise certain levels of availability and uptime.1 Cloud has already taken flight in many IT organizations. availability. which is where the greatest benefits can be achieved.9200 . “15th Annual Global CEO Survey 2012. November. and manage your 4 Gartner. » Data integrity: You rely on data to forecast. Inc.

Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. Cloud computing provides very clear benefits. these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider. The amount of comfort you will want to obtain will depend on the risk associated with your cloud adoption. but they often do not include customer-centric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users.COM » 888. They also want proof that a cloud provider is operating in a way that meets changing regulations and standards set out by government agencies. resources.9200 . and effort into compliance with ISO 27001/27002. respond more quickly to internal IT needs. while reducing risk and providing the trust and transparency you need? Protecting Against Risks Cloud providers know that businesses have reservations about cloud computing. the Federal Information Security Management Act (FISMA). Even when these assessments are thorough. you may be subject to fines and penalties for non-compliance. your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. useful information with enough relevance and detail to help them make decisions and compare providers. Cloud providers may offer the following assurances: » Compliance “certifications”: Increasingly. » AICPA Service Organization Reports: These reports range from addressing a provider’s internal controls as they relate to information processing systems relevant to financial reporting (SOC 1 or SSAE 16) to an assessment covering technology related areas such as privacy. primarily focused on security. and credit card numbers—from breaches. Also. Customers and prospective customers are looking for timely. Exposing customers’ personal information can also result in fines. However. but a provider’s need to protect confidential processes can limit the scope of customer audits. PCI Data Security Standards and other standards. confidentiality. Finally. Without sufficient data retention and access rights. but their efforts to overcome doubts often fail to inspire the confidence of potential cloud users. customers are requiring providers to demonstrate compliance with a growing number of traditional standards. WWW. industry groups.519. health information. they are not objective. cloud users need specialized resources to conduct effective audits. processing integrity. availability. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. generally focused on the documentation of security policies. However. these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider. » Data privacy: You are obligated to protect customers’ and employees’ personal data—such as social security numbers. » Self-assessments: Providers prepare assessments based on their own framework. » Service level agreements (SLAs): These agreements spell out the provider’s obligations. The question is: How do you choose the right cloud provider—one that will help you realize business objectives. Moving to the right cloud provider can help your company save money. provide new services and products to customers.COMPLIANCEWEEK. and expand as business grows. As a result.PWC business. and their own governance boards. » Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities. Cloud computing provides very clear benefits. cloud providers are investing great amounts of time. the Health Information Portability and Accountability Act (HIPAA). and security of service providers (SOC 2). Inaccurate or incomplete data coming from a cloud provider’s systems could result in poor forecasting or incorrect public reporting.

developing. which will require having an independent Third Party Assessment Organization perform an initial system assessment and ongoing monitoring of controls. and implementing tailored solutions for clients—both within the technology sector and across all industry sectors. technology.com/structure for further details. authorization. While existing compliance and regulatory frameworks were not developed to address the specific risks of cloud. To choose a provider you can trust. audit. All rights reserved. This content is for general information purposes only. and security professionals you can trust to help you see through the clouds and protect your assets.COMPLIANCEWEEK. and should not be used as a substitute for consultation with professional advisors. Each member firm is a separate legal entity.COM » 888.519. ABOUT THE AUTHORS Sharon Kane (sharon. Kane Beston WWW.pwc. and there are no established technology or compliance standards specific to cloud. cloud providers may be able to offer a “certification” that alone satisfies your concerns. the most prominent of which is the Federal Risk and Authorization Management Program (FedRAMP). the fundamental risks are similar to those risks that would have been faced with any IT or business process outsourcing. As broader enterprise adoption of cloud computing technology emerges. With strong industry credentials and more than 163. As standards evolve. cloud service providers will be able to seek FedRAMP certification. ■ About PwC PwC has been providing professional IT and compliance services for over 100 years. and may sometimes refer to the PwC network. you need IT.kane@us. Please see www.l.KNOWLEDGE LEADERSHIP A Cloudy Future The technologies and processes used to deliver cloud computing are evolving. To choose a provider you can trust. While the FedRAMP program is specific to cloud providers seeking to do business with the government. and brand. third party assurance may be necessary for you to trust your most valuable asset—your brand—to cloud computing with confidence.000 professionals in 151 countries. Yet every cloud provider is different. © 2012 PricewaterhouseCoopers LLP. we actively leverage our diverse institutional knowledge. and continuous monitoring for cloud products and services. evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. They have significant experience working with both technology providers and cloud users on evaluating the risks and controls associated with cloud computing technology. this framework and associated certification may provide commercial companies a foundation of comfort that a cloud provider has been subject to an independent assessment of controls relevant to cloud. Emerging control standards are also under development. Beginning later in 2012.9200 . as necessary. but. until then.com) are partners within PwC’s assurance practice. experience and solutions to provide fresh perspectives and significant value for our clients. FedRAMP is a US government-wide program that provides a standardized approach to security assessment. a Delaware limited liability partnership. Our professionals are recognized throughout the industry for their innovation in analyzing. PwC refers to the US member firm. as necessary. Many cloud providers have invested heavily to develop highly secure and available environments. com) and Cara Beston (cara.beston@ us. evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls.pwc.pwc.

and should not be used as a substitute for consultation with professional advisors. PwC refers to the United States member firm. go to pwc.Turning cloud into business value One thing’s for sure. It can make your business even more agile and collaborative. Which suggests the importance of developing and implementing a comprehensive cloud strategy that considers governance. Please see www. The right cloud strategy and execution plan can transform your business. All rights reserved.pwc. To learn more about how PwC can help turn your cloud strategy into business value. Each member firm is a separate legal entity. . This content is for general information purposes only. and may sometimes refer to the PwC network. security. a Delaware limited liability partnership.com/structure for further details. and controls along with the impact on IT.com/us/cloud © 2012 PricewaterhouseCoopers LLP. increase innovation and decrease time to market. The strategy for the cloud has moved beyond cost reductions.

” said social versus secure. and “We need to stop saying ‘no’ and partner with our user community. there are no easy that allows you to understand when a solutions to solve the security risks. in particular. only 39 percent bile apps is driven by a young generation that has never been have the necessary security controls to address the risks.” said Salem. tied to a desktop system. a recent “Global Study on Mobility Risks” ployees maintain dozens? conducted by the Ponemon Institute reveals the degree to which mobile devices are circumventing enterprise securi» How do you protect information when the workforce ty and policies. one that recognizes threats with more requirements around governance and compliwithout affecting the corporate infrastructure. workforce is “more open. This new of four essential pillars: —Enrique Salem. it has to be both. Digital natives readily turn to their mobile devices. Companies still have a long way to go. This new world cannot be a choice between » A response plan that includes enforcement officials social versus secure. world of doing business means enabling interconnectivity. The new that can help with an ultimate solution. native” generation. and the cloud to solve problems. it will be a barrier to the new cannot be a choice between world of business. compliance. rather than obtaining information from a single source. gate those risks. great progress is being made toward getting them solved.” said Salem. com at the RSA Conference in San be both.” it comes to adopting necessary security controls and enThat push for access to social media platforms and moforceable policies. social networking sites.” said Salem. solutions that can move faster than A “lockdown mentality” is not the answer. and share information. » How do we manage online identities when our emIn fact. While security problems still abound. According to the survey of more than 4. when and controls. “This is the future of business. and access while at the same time dealing » State-of-art protection. such as a search query. ance. Typically born in the 1990s. He transformation in our industry. mobility. yet the related security risks continue to frustrate IT professionals.10 e-Book A Compliance Week publication Improving Data Security for Cloud Computing More challenges face companies looking to mitigate data security risk By Jaclyn Jaeger T he advent of cloud computing and mobile devices has. According to the study.000 shares information freely? IT practitioners in 12 countries. however. and collaborative. transparChief Executive Officer.” » Reliable early warning systems Symantec At the same time. “If we can’t answer these quescommunity. it has to described the need for an “advanced Mark Benioff. ent.” persistent protection” plan made up Francisco in February. digital natives have never known a time before the Internet or mobile devices. but 76 percent also believe and partner with our user these devices put their companies at risk. CEO of Salesforce. Salem offered a list of three questions companies in every industry must think about to move forward: . Salem described how the “digital and only 45 percent have enforceable policies. has forever changed the Part of the problem is that employees don’t always fol- way companies conduct business. This new world “We are going through a massive tions. dramatically changed the way employees access. 77 percent said the use of mobile devices in the workplace is » How do we keep track of a subimportant to achieving business obstantially higher volume of online ac“We need to stop saying ‘no’ tivity? jectives.” said Salem. the threat can spread across the company.” said Symantec CEO Enrique Salem at the conference. » Fast remediation. “We’re being required to offer more services. as well as allowing for “strong governance. use. new threat is potentially going to ateven while pressure mounts to mititack. of course.

and cloud audit trails need to be set up and monitored. “They need to immediately protect data. which is a serious concern. president of Websense. the network can determine several factors. a data security firm.11 low the controls and procedures. and they need to establish and enforce security practices and policies. IT is being challenged like never before.” Traditional static security solutions such as antivirus.4 1. senior director of product marketing management of security provider Websense. but flexible enough to work across a variety of platforms.” said Larry Ponemon.” said Tom Clare. which sponsored the study.6 0. “It’s clear that employees are deliberately disabling security controls. Christopher Young. 77% 76% 0. The use of mobile devices in the workplace represents a serious security threat. and passwords are not always effective at stopping advanced malware and data theft threats from malicious or negligent insiders. Companies already have available the tools they need to achieve greater visibility. “These devices open the door to unprecedented loss of sensitive data. also spoke at the RSA event.” Young added. 59 percent of respondents report that employees circumvent or disengage security features. even the strong ones. are easily compromised. “This replaces that one size first all policy that most organizations are using today. “Today we can access standard language that is directly embedded in routers and switches that automatically enforces our policies. firewalls. and when? » » » “What makes all this context power is that now legitimate users can safely get access to the resources that they need on your network. iPhone? What is the posture of that device: Is it infected. By doing so. During the past 12 months. their companies experienced an increase in malware infections as a result of insecure mobile devices in the workplace. who The employees’ use of mobile devices in meeting business objectives is essential or very important. chairman and founder of the Ponemon Institute. And the continued migration to mobile devices will only make matters worse. Employees’ access to accounts also should be disabled after they leave the company. Fifty-nine percent of respondents reported that over the last year. IT needs to be concerned about the data that mobile devices access and not the device itself. “In a world where uses are bring their own devices to work and where user names and passwords. Data that leaves the cloud should automatically be tagged. said Salem.8 0. Authentication of data also needs to be altered. context aware. said: » How is that device connected—via Ethernet or wireless? What’s the device: a PC.” ■ MOBILE DEVICE RISK Below is a chart from the Ponemon Institute study that shows respondents’ perceptions about the use and risks of employees’ mobile devices (strongly agree & agree responses combined): T New Security Tools o prevent security threats. so that it is as close to single sign-on as possible. . with another 25 percent unsure if they have or not. including laptops.2 0. such as passwords and key locks. “Tablets and iOS devices are replacing corporate laptops as employees bring-their-owndevices to work and access corporate information. on corporate and personal mobile devices. senior vice president at Cisco Systems described the need for more effective firewalls that can track data as it enters and leaves a company’s systems. “As mobile devices become more pervasive and more employees bring their own smartphones and tablets to work. or is it clean? Where is that device connected from. which increase rates of malware infections. and tablets. iPad.” said John McCormack. My organization has the necessary security controls to mitigate or reduce the risk posed by insecure mobile devices.” Administrative burdens on users also must be reduced. added Salem. In fact.0 0. 51 percent of those companies experienced data loss resulting from employee use of insecure mobile devices.” The study indicates that companies often don’t know how and what data is leaving their networks through non-secure mobile devices. “our only way forward as an industry is to deliver increasingly granular. USB devices.0 39% 0% 10% 20% 30% 40% 50% 60% 70% 80% Source: Ponemon Institute.” said Young.” said Young. smartphones. and forced control via the network.

” Enterprises are showing strong interest in outsourced (“public”) cloud offerings that can help them reduce costs and increase business agility.gartner. technology) to deliver the promise of cloud computing to the enterprise.gartner. and should ensure their providers are ready and willing to undergo audits.COMPLIANCEWEEK. SSL is the solution for securing data when it is in motion. and recommends that organizations address several key issues when selecting a provider: 1. But one thing is for certain: cloud technology is quickly rising to the top of every CIO’s priority list.KNOWLEDGE LEADERSHIP Choosing a Cloud Provider With Confidence SSL ProvideS a Secure Bridge to the cLoud E xEcutivE Summary Cloud computing is rapidly transforming the IT landscape.519. and by highlighting the ways in which SSL from a trusted certificate authority can help enterprises conduct business in the cloud with confidence. 2. Most organizations cite cost savings as the most immediate benefit of cloud computing. 3.com/ie/?p=730) r Eady or Not. 4. Regulatory compliance – Enterprises are accountable for their own data even when it’s in a public cloud. Access privileges – Cloud service providers should be able to demonstrate they enforce adequate hiring.9200 . 2 New Opportunities for Business 1 Source: Gartner EXP Worldwide Survey (http://www. 3 Gartner Research has identified seven specific areas of security risk4 associated with enterprise cloud computing.com/it/page. An IDC survey of IT executives reveals that security is the #1 challenge facing IT cloud services. achieves exponentially greater economies of scale by providing a standardized set of computing resources to a large base of customers. Others think it’s just a fad.com/it/ page.jsp?id=1283413) 2 Source: Gartner Research (http://www. New Security Challenges for IT Despite the clear economic benefits of using cloud services. on-demand capacity with self-service provisioning. WWW. oversight and access controls to enforce administrative delegation. concerns about security. compliance and data privacy have slowed enterprise adoption. and pay-per-use pricing models for greater flexibility and agility. com/DisplayDocument?id=685308) Gartner. HErE comES tHE cloud Some people believe cloud computing is the most significant paradigm shift since the advent of the internet. For the enterprise. and industry analysts such as Gartner Research estimate that enterprises around the world will cumulatively spend USD $112 billion on cloud services over the next five years. and the conversation around adopting cloud technology has progressed from “if” to “when.1 Organizations are accelerating their uptake of cloud services.gartner. Many enterprise hosting providers are already well positioned in the market and have the core competencies (people. processes. More specifically. Data location – When selecting a hosting provider. The service provider. and it is critical to make sure hosting providers can guarantee complete data segregation for secure multi-ten3 Source: IDC eXchange (http://blogs. cloud services offer lower IT capital expenditures and operating costs.COM » 888. jsp?id=1389313) 4 “Assessing the Security Risks of Cloud Computing” (http://www. Data segregation – Most public clouds are shared environments. in turn. The goal of this white paper is to help enterprises make pragmatic decisions about where and when to use cloud solutions by outlining specific issues that enterprises should raise with hosting providers before selecting a vendor.idc. These cloud services offer enormous economic benefits. June 3. Many cloud service providers can deliver the security that enterprises need and SSL (secure sockets layer) certificates are part of the solution. it’s important to ask where their datacenters are located and if they can commit to following specific privacy requirements. but they also pose significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations. 2008.

each with different infrastructures. When a browser (or client) points to a secured domain. SSL delivers two services that help solve some cloud security issues. 7. This complexity of trust requirements drives the need for a ubiquitous and highly reliable method to secure your data as it moves to. 5. Whether data is moving between server and browser or between server and server. 6. If an enterprise keeps its data in the cloud.COM » 888. SSL encryption keeps prying eyes from reading private data as it is transmitted from server to server and between server and browser. This process. SSL is the standard for establishing trusted exchanges of information over the internet. from and around the cloud. An SSL certificate can authenticate that a specific server and domain do belong to the person or organization that it claims to represent. Business continuity – Businesses come and go. they must manage all these issues across multiple operators. Without the ubiquity of SSL. is known as the “SSL handshake” and it can begin a secure session that protects data privacy and integrity. any trust over the internet simply would not be possible.GEOTRUST ancy. operational policies. secure network access to it is important.9200 . possibly even more important. Data recovery – Enterprises must make sure their hosting provider has the ability to do a complete restoration in the event of a disaster. First. SSL helps to secure it. What’s more. SSl ProvidES a B ridgE to SEcurE data iN tHE cloud SSL is a security protocol used by web browsers and web servers to help users protect their data during transfer. To reap the benefits of cloud computing without increasing security and compliance risks. is likely to move around between servers in the cloud when the service provider performs routine management functions. Monitoring and reporting – Monitoring and logging public cloud activity is hard to do. is establishing that a specific server and domain can be trusted.519. and security skills. based on a sophisticated backend architecture laced with checks and double-checks for security. The second benefit. enterprises must ensure they work only with trusted service providers that can address these and other cloud security challenges. SSL comes into play anytime data changes location. the server shares its public key (via the SSL certificate) with the client to establish an encryption method and a unique encryption key for the session. when enterprises move from using just one cloud-based service to using several from different providers. so enterprises should ask for proof that their hosting providers can support investigations. that data WWW.COMPLIANCEWEEK. This benefit requires that the hosting provider use SSL from a third-party Certificate Authority (CA). Plus. How Does SSL Work? An SSL certificate contains a public and private key pair as well as verified identification information. and enterprises should ask hard questions about the portability of their data to avoid lock-in or potential loss if the business fails. The client confirms that it recognizes and trusts the issuer of the SSL certificate.

In such a scenario. When it comes to secure and confidential data. HIPAA and any other applicable regulations – and possibly more depending on where the servers and the data are at any given moment. SSL certificates that rely only on the CRL standard are less desirable because in instances of high amounts of network traffic. to the Payment Card Industry Security Standard (PCI-DSS). businesses are burdened with a slew of regulations.519. the enterprise must require the cloud provider to seek some compliance oversight. which affects any company accepting payment cards.COMPLIANCEWEEK. preferably.KNOWLEDGE LEADERSHIP Ensuring Data Segregation and Secure Access Data segregation risks are ever-present in cloud storage. Encryption Businesses should require their cloud provider to use a combination of SSL and servers that support. that scenario is fundamentally changed: the cloud service provider controls where the servers and the data are located. In a cloud environment. Every time an SSL session handshake is initiated. the SSL certificate issued to that device will be valid for a defined length of time. CRL. a rogue server could use a revoked certificate to successfully Facilitating Regulatory Compliance Next are the regulatory compliance risks. If the answer is no. the SSL certificate is checked against a current database of revoked certificates. However. With OCSP a query is sent to the certificate authority asking if this certificate has been revoked. PCI. there is a fail-safe check to verify that the certificate has not been revoked in the time since it was originally issued. 128-bit session encryption (or. Only independent. Authentication Businesses also should demand that server ownership be authenticated before one bit of data transfers between servers. Requiring a commercially-issued SSL certificate from a third-party Certificate Authority that has authenticated the server makes it virtually impossible to establish a rogue server that can infiltrate the cloud provider’s environment. a proper implementation of SSL can secure sensitive data as it is being transmitted from place to place in the cloud. the organization is still responsible for maintaining compliance with SOX. the enterprise will be held liable for data security and integrity even if it is outsourced. at minimum.9200 . consequently completing a handshake and initiating a session based on a revoked SSL certificate. The Online Certificate Status Profile (OCSP) standard is considered the more reliable method by many because it is always up-to-date and less likely to time-out due to network traffic. With traditional onsite storage. requires that the browser download the most current revocation list from the certificate authority and check the list itself to see if the certificate appears in the list. This way their data is secured with industry-standard levels of encryption or better as it moves between servers or between server and browser. There are currently two standards used for this validity check. the handshake may commence. preventing unauthorized interceptors of their data from being able to read it. Online Certificates Status Protocol (OCSP) and Certificate Revocation List (CRL). the certificate authority answers yes or no. WWW. third-party SSL certificates can legitimately deliver ownership authentication. Since the enterprise IT manager cannot rely solely on the cloud provider to meet these requirements.COM » 888. In the rare case that an SSL certificate has been compromised in some way. and between cloud provider servers and end users on browsers. the business owner controls both exactly where the data is located and exactly who can access it. Self-signed SSL certificates provide no authentication. on the other hand. These range from laws like the Sarbanes-Oxley (SOX) Act which affects only public companies. to the federal Health Insurance Portability and Accountability Act (HIPAA) which affects any businesses with even the remotest possibility of touching patient data. When an organization outsources IT to a cloud service provider. Certificate Validity Once a server and domain are authenticated. As a result. the stronger 256-bit encryption). this step can be missed: some browsers will misinterpret an incomplete CRL review as a confirmation that a certificate is not on the revoked list. In Europe there is the EU Data Privacy Directive and Canada has an equivalent Personal Information Protection and electronic Documents Act (PIPEDA).

Feature upgrades such as permission modifications. Not All SSL is Created Equal The chain of trust extends beyond the cloud vendor to their security provider. Enterprises need to make sure their cloud provider uses an SSL certificate that cannot be hacked. Keeping Data Away from Undesirable Locations SSL addresses the third area of risk. SSL adds an extra layer of protection to the backup and recovery process for a business. The cloud vendor’s security is only as good as the reliability of the security technology they use. as long as the cloud provider requires trusted authentication and encryption on all their servers through SSL from a certificate authority following such a practice. Cloud providers should be using SSL from an established. an enterprise will know that the cloud provider isn’t storing their data on IT hardware in these countries. In addition. Public clouds are like black boxes: while they enable ubiquitous access to data. but the host has a problem with the site’s SSL certificate. technological changes to the cloud computing environment can unknowingly whittle away at the compliance of a cloud computing provider’s customer. an enterprise can be assured that its data will be secure as it moves around the cloud.Cloud computing providers who refuse to undergo external audits and security certifications are “signaling that customers can only use them for the most trivial functions. Gartner states that “any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to total failure. data from backups or duplicates. Other Areas Where SSL Can Help The enterprise needs to know how their cloud provider. July 2010.” and that any business in the cloud has a duty to know if the cloud provider is able to completely restore 5 “Domain 10: Guidance for Application Security V2. So. Will that user ignore the browser warning and click through to complete a transaction on a seemingly-untrustworthy site? Not likely.519. Alternately. legitimate third-party SSL provider such as GeoTrust or VeriSign will not issue an SSL certificate to a server in an interdicted country such as North Korea and Iran. cloud hosts will attempt to recover data from backup servers. the enterprise IT organization should also demand the following security requirements for the cloud provider’s SSL security: WWW.” according to Gartner. data location. 5 Here. For example: suppose an enterprise chooses a cloud provider to host their e-commerce web site. SSL encryption renders all sensitive data useless to any third party intercepting or viewing it. Additionally. If a crash happens. in the same manner. But if a cloud provider uses SSL to encrypt data as it changes places. reliable and secure independent Certificate Authority. and SSL certificates provide a highly visible and immediately recognizable way to accomplish that. with servers around the globe.COMPLIANCEWEEK. ensuring that data accessed from backup or duplicate servers is encrypted in transit and that servers being uSiNg SSl to EStaBliSH aNd maiNtaiN truSt iN tHE cloud Using a cloud service provider requires a high level of trust and confidence. Businesses must insist upon a critical reliability equation to establish trust.” Cloud Security Alliance.1. introduction of mobile devices. safeguards data in the case of a disaster. cloud service providers should maintain backup data repositories. A user visits the site and is immediately greeted with the alarming “Secure Connection Failed” error or “There is a problem with this web site’s security certificate” message. in addition to making sure the SSL comes from an authorized third-party. So. as with data segregation.9200 .COM » 888. Its SSL should deliver at minimum 128-bit session encryption and optimally 256-bit encryption. and network changes also can affect compliance. SSL encryption thwarts accidental disclosure of protected or private data as regulatory due diligence and data access is automated. And it should require a rigorous authentication process. new capabilities. Business critical applications cannot rely on trial and error. and how long it will take. missing or broken SSL can destroy trust instantly. they also obfuscate the physical location of the servers and the data. To prevent data loss.

The fundamental encryption capabilities of this system were compromised from 2006 to 2008. Extended validation certificates (EV) are the best choice for server-to-browser connections because they offer the strongest level of authentication and the clearest validation that the connection is secure. Using EV ensures that the organization’s identity has been verified through official records maintained by an authorized third party. but they do not offer the highest level of confidence-building features for the end user. » A chained hierarchy supporting their SSL certificates. With EV certificates.COMPLIANCEWEEK. the amount of effort put into validating the ownership and control of that server and domain. and that the person applying for the SSL certificate for that domain or server is an authenticated representative from that organization. Additionally. and that is all.html an encrypted exchange of information. many servers rely on a Debian-based operating system for generating their SSL keys. 1. Enterprises should make sure their cloud provider is not relying on servers nor SSL certificates which may be have been compromised by this flaw. and that the person requesting the certificate is an authorized agent of the organization. There are four levels of authentication for SSL.com/securityfix/2008/05/debian_ and_ubuntu_users_fix_yo. SSL certificates can be issued for validity lengths of up to six years. These SSL certificates are acceptable choices for server-to-browser connections. These certificates are not recommended for server-to-browser connections because they do not vet or display the identity of the organization responsible for that domain or server. 2. An SSL certificate with this highest level of authentication can uniquely trigger unmistakable identifiers in an end-user’s web browser: a green browser address bar that displays the name of the organization.519. and the name of the certificate authority which issued the SSL. so it is possible that SSL with this flaw is still being used. because the issuer vouches for the credential’s authenticity. When end users encounter the green ad- WWW. Organization validated certificates offer reliable authentication for the cloud because they validate that the organization claimed to be responsible for the domain or server actually exists. as is the right of that organization to use that domain.9200 . All enable 6 Source: http://voices. At least one intermediate root in the chain adds an exponential level of encryption protection to prevent attacks to the global root.COM » 888. physical and operational existence of the organization is verified. 3. » Secure hashing using the SHA-1 standard to ensure that the content of certificates can not be tampered with. Self-signed certificates offer zero authentication to enable encryption.6 Authentication Generates Trust in Credentials Trust of a credential depends on confidence in the credential issuer. Domain validated certificates offer only basic authentication because they only confirm that the person applying for the certificate has the right to use a specific domain name. while maintaining a rigorous authentication methodology and a highly reliable infrastructure. This type of SSL does not provide the security required by an enterprise. the difference lies within the strength of the server and domain authentication— in other words. the legal. 3.KNOWLEDGE LEADERSHIP » A Certificate Authority that safeguards its global roots behind layers of industrial-strength security. It is best to choose a cloud provider who standardizes on a certificate authority that is well known and trusted by browser vendors. Certificate authorities use a variety of authentication methods to verify information provided by organizations. » A Certificate Authority that maintains a disaster recovery backup for its global roots » Global roots using the strong new encryption standard employing 2048-bit RSA keys.washingtonpost. employing multiple levels of electronic and physical security measures.

dress bar.com CORPORATE HEADQUARTERS GeoTrust.GeoTrust. WWW. Our range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively. and designs are registered or unregistered trademarks of GeoTrust. coNcluSioN: go witH wHat you K Now SSL is a proven technology and a keystone of cloud security. Contact Us www. The SSL issuing authority should maintain military-grade data centers and disaster recovery sites optimized for data protection and availability.uk APAC SALES OFFICE GeoTrust.000 customers in over 150 countries trust GeoTrust to secure online transactions and conduct business over the Internet. V is the preferred choice for hosting applications and services in the cloud.COMPLIANCEWEEK. USA Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 enterprisesales@geotrust. For these and other reasons.com © 2011 GeoTrust. 350 Ellis Street.com EMEA SALES OFFICE GeoTrust. Inc. the enterprise should consider the security options selected by that cloud provider. CA 94043-2202.9200 . J Mountain View. Inc.geotrust.com/sell-ssl-certificates/ strategic-partners. Its SSL should deliver at minimum 128-bit encryption and optimally 256-bit encryption based on the new 2048-bit global root.203. WC2B 4HN. Inc. and VeriSign® SSL brands all offer SSL products that meet these requirements.0240958 sales@geotrust. Bldg. Knowing that a cloud provider uses SSL from a trusted certificate authority can go a long way toward establishing confidence in that provider’s commitment to safeguarding the data in its possession.html. All other trademarks are the property of their respective owners. visit http://www. Inc. United Kingdom Tel +44. service marks.0240907 Fax +44. the GeoTrust design. reliable and secure independent certificate authority. ■ Learn More To find a trusted cloud service provider that meets the criteria outlined in this white paper. and its subsidiaries in the United States and in foreign countries. More than 300. The GeoTrust®.co. And it should require a rigorous authentication process. Cloud providers should be using SSL from an established. About GeoTrust GeoTrust is a leader in online trust products and the world’s second largest digital certificate provider. The SSL certificate authority needs its authentication practices audited annually by a trusted third-party auditor. and other trademarks. Numerous businesses have reported noticeable uplifts in completed transactions (18 percent on average for VeriSign customers) after deploying Extended Validation SSL.203. Thawte®. Inc. GeoTrust. When an enterprise selects a cloud computing provider.519. When selecting a cloud service provider. All rights reserved. Enterprises should consider the seven categories suggested by Gartner when evaluating (and especially when contracting with) cloud computing solutions. the GeoTrust logo. enterprises must also be very clear with their cloud partners regarding handling and mitigation of risk factors not addressable by SSL. 134 Moray Street South Melbourne VIC 3205 Australia sales@geotrustaustralia.COM » 888. 8th Floor Aldwych House 71-91 Aldwych London. they have complete assurance that their connection is secure.

Because you may That’s not to say that data security there. agrees. who teaches a seminar on cloud computing contracting. In terms of auditing. including SAS 70. managing content and delivering prodervice-level agreements can shore up cloud security and ucts to customers. are the fasteststandards. which is server-and-storage for hire. “It’s not just of losing control over one’s data. says his organization sees the cloud as an opportunity to let Elsevier focus In the Contract on its strengths. the risk is reduced if it’s ensend to the cloud. the list goes on. It depends on Different types of cloud models have their own data-sewhat you give the public cloud in the first place. rather Director.com. “The move “If you’re doing processing on to the cloud really puts the focus back ness. Portability and Accountability Act (HIPAA). the benefits of cloud computing are familiar: calls “regulated data”—information that falls under the rapid deployment. ISO 20000. The Cloud Security Alliance and the Open Data IBM. scalability.” he says. security. a publisher of science and health data. savvy dealings with cloud-computing providers. “because it looks at things strategiThe cloud provider doesn’t necessarily have to underBy Todd Neff S . ever. the Payment accounting gains from expensing costs rather than capitalCard Industry Data Security Standard (PCI DSS).0. the Health Insurance to focus on the business rather than running data centers.” he says. others. and new software your end and put personally on application security and good IT offerings is chipping away at data identifiable information in governance. California at Los Angeles. Trappler. Cass says. the risk is reduced view involves a hard look at the applisition to the cloud much less of a leap of faith. crypted when it gets there. Cass says. “the key perts see an increasingly wide range thing is to make sure the application is —Douglas Barbin. hosted by the likes of Amazon. vier. as well-known. and platform as ing on certifications to demonstrate their commitment to a service (PaaS).” Barbin adds. Google. PCI DSS 2. on the other hand. we can revisit some of the Don’t be deceived by imbalance in pros and cons. of data as cloud-eligible. The good news is cloud readiness assessment and a sethat a combination of IT self-awarecurity review. in turn. and the consequences BrightLine and cloud-security auditor. Microsoft. Elsevier takes the cloud off the table. deciding designed with security in mind. While exer’s security and firewalls. and hybrid clouds. howregulated data applications. if it’s encrypted when it gets cations themselves. Cass says. Cloud providers are pil(IaaS). as security gets better and there’s pliance. a virtual software-development platform. Computing vendors host private.” he says. the valDouglas Barbin. “it used to be that the forgrowing markets. If you’re curity and compliance implications—which. and many others. Elsevier’s default IT position is to think lessen the risk of moving to the cloud. Brightline what to keep in-house and what to than having to put security around move to the cloud depends on an orthe application. says Thomas “cloud-first” for every application and revert to in-house Trappler. of other laws and industry standards? The tally of “the cloud’s” principal disadvantages is just If so. assessment resecurity concerns. chief information security officer of Else1 and SOC 2 seem to be more the norm. with the right SLAs in place and he analysis starts with Elsevier’s enterprise architecthe right provider.” Cass says. albeit a lot shorter: data security and com“As the cloud matures. more visibility into the product. SaaS and IaaS.” he says. those two drawbacks have cast quite a shadow on Applications passing the first test then go through a cloud adoption. and Public clouds.18 e-Book A Compliance Week publication Outlook Improving for Data Security in the Cloud B T cally across Elsevier. ture committee.” not have control over a cloud providproblems are evaporating. The first hurdle is a big one: Does the proposed cloud application involve what Cass y now. low startup costs. a director at ue (or savings) the cloud can impart. where they provide software as a service The risk is also reduced by finding the right service pro(SaaS)—think Salesforce. now [the AICPA’s] SOC David Cass. says even HIPAA-class Risk Analysis data could be cloud-ready. on the cloud provider and how good they are. infrastructure as a service vider in the first place. director of software licensing at the University of data centers if the cloud looks too risky. hinge doing processing on your end and put personally identifion the nature of the data and processing a company wants to able information in the cloud. ability purview of the Sarbanes-Oxley Act. ganization’s appetite for risk. or a host izing them. ward-thinkers were doing SAS 70. making the tranThe cloud readiness the cloud. are the most economically Center Alliance are also publishing guidance on security attractive. Barbin says. public.

» Availability—Cloud providers promise certain levels of availability and uptime. It integrates into existing McAfee security products with the defining philosophy that a company should be able to extend its approach to IT security into the cloud’s SaaS and IaaS environments. but you have no way of knowing if the provider has adequately prepared for high usage levels across multiple cloud users. » Service level agreements (SLAs): These agreements spell out the provider’s obligations. report and manage your business. are the best bet for “audit-sensitive” offerings. The big names in IT security are playing in the cloud. they are not objective. The same is true for data viewed and misused by cloud administrators.net. provides a layer of control and auditability for Google Apps.” Trappler says. This is an especially relevant concern for companies considering moving transaction processing to the cloud. health information and credit card numbers. risks include: in the common tongue) users quickly and across cloud and corporate platforms. you may be subject to fines. Trappler adds. an identity and access management service. For example. penalties or judgments for non-compliance. Source: PwC Whitepaper on Protecting Your Brand in the Cloud (December 2010). » Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities. The CloudLock software addresses a common issue: employees. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. it doesn’t specify how to get that done. your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. » SAS 70 reports: These reports address a provider’s internal controls as they relate to information processing systems that support financial reporting. but a provider’s need to protect confidential processes can limit the scope of customer audits. Also. from breaches. soon. CloudLock. Retention and Ownership—You rely on data to forecast. physical security. such as social security numbers. and so forth—that combine to achieve compliance. Finally. and other cloud-based software without the IT department’s—or the compliance team’s—knowledge (let alone consent). and the benefits of third-party assurance: With cloud computing. Exposing customers’ personal information can also result in fines.19 stand HIPAA per se.” Brown says. Another. though he agrees that most organizations will have data they deem too sensitive to put in the cloud. HIPAA merely says healthcare data must be secure and confidential. Brown says. So while the SAS 70 delivers insight. a senior analyst covering risk and security with Forrester Research. Without sufficient data reten- » Self-assessments: Providers prepare assessments based on arbitrary frameworks. Providers try to address user concerns with: » Security—You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data could be accessed by other cloud users. Once a path to HIPAA compliance is defined. too. a company can wrap an SLA around a bundle of services—encryption. McAfee’s Cloud Security Platform is just one example. Inaccurate or incomplete data coming from a cloud provider’s systems could result in poor forecasting or incorrect public reporting. Okta. » Privacy—You are obligated to protect customers’ and employees’ personal data. Greg Brown. cloud users need specialized resources to conduct effective audits. . Microsoft’s cloud-based Office 365. “HIPAA [compliance] is an end-state. what cloud providers are doing to thwart risk. it is not sufficient to address the full scope of risks associated with cloud computing. which let you identify dedicated physical servers and storage. Box. but they often do not include customercentric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users. says Rick Holland. auditability. he says. are using Google Apps. But cloud computing risks go far beyond those relevant to financial reporting. “I would dare to say that almost every organization has a lot more of that going on than they think. Even when these assessments are thorough. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. offers a way to “provision and de-provision” (that means “add and delete” CLOUD COMPUTING RISK ASSESSMENT The following information from PwC explains what risks are associated with cloud computing. or even entire departments. » Data Integrity. ■ tion and access rights. “Just because you’re embracing the cloud doesn’t mean you have to invent a new security process. Vendors are stepping up with new cloud-security offerings.” Holland says. McAfee’s vice president of product marketing and cloud security. generally focused on the documentation of security policies. and. says hosted private clouds.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->