You are on page 1of 19

Brought to you by the publishers of

COMPLIANCE WEEK

INSIDE THIS PUBLICATION: Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud

Mobile and Cloud Computing
An e-Book publication sponsored by

Improving Data Security for

developing. and compliance that features a weekly electronic newsletter. secure email. and enterprise SSL products. and compliance executives. UC/SAN SSL certificates. As broader enterprise adoption of cloud computing technology emerges. Compliance Week has quickly become one of the most important go-to resources for public companies. a monthly print magazine. digital signatures. risk. . Founded in 2002. you need IT.2 e-Book A Compliance Week publication Compliance Week is an information service on corporate governance. and a variety of interactive features and forums. Quick SSL Premium Certificates. a leading certificate authority. Products include True BusinessID with Extended Validation SSL Certificates. code signing. and website authentication. GeoTrust. proprietary databases. we actively leverage our diverse institutional knowledge. Compliance Week now reaches more than 26. and security professionals you can trust to help you see through the clouds and protect your assets.000 professionals in 151 countries. provides retail and reseller services for SSL encryption.000 financial. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. experience and solutions to provide fresh perspectives and significant value for our clients. and brand. PwC has been providing professional IT and compliance services for over 100 years. and VeriSign Certified Document Solutions. technology. Our professionals are recognized throughout the industry for their innovation in analyzing. and implementing tailored solutions for clients—both within the technology sector and across all industry sectors. My Credential Certificates. Multi-Domain Certificates. industry-leading events. legal. risk. Wildcard SSL Certificates. and Enterprise SSL. audit. With strong industry credentials and more than 163. audit. True BusinessID SSL Certificates.

3 Inside this e-Book: Company Descriptions Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud 2 4 6 10 12 18 .

” says Rick Dakin.” Launched in 2010.” says Ojas Rege. “The BlackBerry was a business instrument that maybe you did some personal stuff on. most companies don’t even realize the security risks they are taking when they allow employees to use their own electronic devices. like Dropbox.” While some companies are embracing the BYOD approach—happy to let employees bear the cost of hand-held devices—others are clamping down on the practice out of security concerns. “Companies have to find a way. IBM recently evicted Siri from its workplace and banned employees from using their own devices.” Dakin recalls sitting on a flight recently beside a fellow passenger who was frantically pounding out an executive briefing filled with sensitive sales data on a brand new iPad. they will be productive. from a political standpoint to use compliance to say. productive workforce with security issues and regulatory requirements. The role has reversed. “I think the BYOD discussion is going to come down to how much you can get away with before you introduce harm. No longer content with just a company-issued desktop or laptop. A Embracing BYOD study of 600 U. and run with. The same trends haven’t been kind to BlackBerry. particularly when it comes to privacy issues. employees are looking to thumb their way through e-mail and what is often sensitive company data whenever. In May the company announced that while the trend has led to “tremendous interest” in its Jabber and WebEx collaboration software. I can provide evidence that we have compliance on these rigorous data protections and intellectual property protection policies that you set on 60 percent of our devices. “The IT department of that enterprise has no idea what he is doing. and compliance firm.’” he says. using the airplane’s insecure WiFi—a scenario he says is far too common. Some IT security experts say that companies can allow a BYOD approach and still maintain some security standards. “IBM has a lot to lose if Siri is actually leaking data out. According to the study.” Ottenheimer says. an information technology governance. it is managing compliance in the post firewall era. has no idea what the access controls are. in self defense. 95 percent say their organizations permit employee-owned devices in some form in the workplace. “[In the past] they have been able to put policies in place . like iPhones. IT and business leaders conducted in May by Cisco finds that more companies are embracing BYOD. “In the old days. to view company data. The trend toward BYOD has both helped and hurt Cisco. vice president of strategy for MobileIron. co-author of “Securing the Virtual Environment: How to Defend the Enterprise Against Attack. maker of that longtime business staple the BlackBerry— companies are increasingly embracing a “bring-your-owndevice” workplace. but also provide some level of support and 36 percent of those surveyed say enterprises provide full support for employee-owned devices. What’s changed now is that every individual wants a smartphone or a tablet and it is a personal instrument that they are also going to do business on. to protect our assets. “I think the rapid change caught developers and enterprise IT off guard. For example.” Companies have already looked at issues like encryption and password protections. Eighty-four percent of IT departments not only allow employee-owned devices. has no idea what data is being addressed. The trend has forced companies to weigh the benefits of a happy. a company that provides enterprise management and security for mobile devices and apps. risk. and has no ability or access to wipe that iPad should he lose it. Mobile computing has “dramatically changed how we exchange data. What they haven’t done as well is to bridge the gap between implementation and policy. The other 40 percent? We have no clue.” says Davi Ottenheimer. and in some cases embracing. “Unfortunately the developers of mobile applications and the cloud services that support them did not bake compliance and security into the solutions.” he says. According to Dakin. IBM cited concern over the way Apple’s data pipeline between users and the voice-activated “personal assistant” could compromise security. and to make sure the devices that are brought in meet our compliance guidelines. but we will hold you responsible and we will take action. that are more consumer focused and don’t offer robust.” Ottenheimer says.4 e-Book A Compliance Week publication Risks and Benefits of Employee-Owned Devices By Joe Mont F ueled by the popularity of the iPhone and iPad—and aided by the uncertain future of Research in Motion. Rege says. the enterprise-focused tablet found itself struggling to draw market share away from the consumerlevel devices being integrated into the workplace.” the study’s authors wrote. BYOD as a reality in the enterprise. these same “market transitions” led to a decision to cease development of its Cius tablet. CEO and co-founder of Coalfire. “If you give employees a workspace that they are able to own. But on the flipside you are also introducing so much more risk.” adds Ottenheimer. they choose on devices they purchase themselves. president of information security firm Flyingpenguin.” he says. enterprise-level security. it is more than bringing your own device to work.S. “Can you imagine being the internal auditor and going to your board of directors and saying. IBM also bans cloud-based services. ‘You can bring your device. no idea how that data is being transported. ‘Well. “IT is accepting. not that many people really bought a BlackBerry themselves. In a way. and wherever.

gets access to all my enterprise resources. don’t understand the technology. Source: Cisco. Similar to how companies deploy data classification programs. the ones who allocate the capital. they don’t need to fear migration to mobile. “Unfortunately. Internal audit requirements also have to be updated to account for mobile computing. “You can say that a highly trusted device. with a personal device that is being used for business. “Most companies have not. enter government. “It is a question of raising the awareness. “There are a lot of companies that are worried about moving forward with next-generation mobile apps because they are not sure how to handle their compliance teams and regulators in a way that gets everyone to a place where they need to be. “If the trust level of that device drops. says Dakin. “We are transitioning into the era of the tech-aware regulator.” Ottenheimer predicts that these issues will gain more focus as younger people. but from two very different perspectives.” he says. such as its location or behavior pattern.” he adds. such as a lost phone or a user who removes password protection.” Updating security policies to adapt to mobile devices is another important step. “They will just go around it. Rege says. They then need to assess what could happen to a mobile device that might pose a threat to corporate data.” Rege says. “The mind shift compliance and security teams need to have is that the user experience is fundamental. ■ The following graph from Cisco shows what is trending now for mobile devices. . they just need to plan for it and execute for it. privacy becomes relevant.” Rege says. It is exactly the same problem. so anything they do on the security side that breaks user experience will just lead that well-intentioned user to go rogue. which has defined characteristics.” T Protecting Data he first step for companies looking to adapt to BYOD demands. That’s really where their education stopped. users can have privileges reined in based on their mobile devices’ trust level. is to identify the baseline for corporate data protection. If the trust level drops even more.” he says.” He says the trust level of a particular device can be changed through the day depending on its characteristics. you don’t get access to anything.” Beyond users. many of the business decision makers.” he says.” Dakin says. because the solutions are there. User experience will actually MOBILE DEVICE TRENDS trump your security policy. companies also need to navigate regulatory hurdles. you only get access to e-mail and not an application with financial data. “I think there are going to be some new models for how a compliance team is structured and how the relationship with whatever regulatory body is managed on a daily basis. gooey inside.” Rege says. suddenly. “The early wave of security was all about firewalls and intrusion prevention because the bad guys lived in Russia and they were going to attack us over the Internet.5 without really having to consider the impact of privacy. Privacy is a user worried about losing his or her data. with that firewall mentality of a hard candy outer shell with a soft. “Security is an enterprise worried about losing its data. In a BYOD setting. raised on technology.

and manage your 4 Gartner. Gartner. 29. customers. many business leaders are concerned about how they will address the issues that surface in every conversation about the cloud: security. WWW. they remain concerned about the risks associated with cloud computing. independent reporting solutions to address the trust gap between providers and users—may be part of the answer.” September 2011 3 PwC. and meeting stakeholder commitments are essential to a company’s reputation.4 Third-party assurance may be the catalyst companies need to embrace cloud computing with greater confidence. data privacy and integrity.. and business processes. As such. an independent and objective organization delves into a cloud provider’s environment to identify and test controls that govern the ability to deliver promised levels of service along with sufficient security.9200 . 41% of respondents said their organization has implemented some form of cloud computing.. » Data integrity: You rely on data to forecast. 2011 Cloud providers promise certain levels of availability and uptime.1 Cloud has already taken flight in many IT organizations. Inc. they can’t outsource their obligations—to investors. Of particular concern are the risks associated with using a public cloud. which indicated 31% of CEO’s expect a significant change in strategy related to the adoption of new technologies like enterprise mobility and cloud computing over the next three to five years. November. applications. This is an especially relevant concern for companies considering moving high-volume. 3 While most CIO’s now consider cloud computing mature enough for some level of adoption within the enterprise. which is where the greatest benefits can be achieved.KNOWLEDGE LEADERSHIP Establishing Trust in Cloud Computing By Sharon Kane and Cara Beston Cloud Value Proposition Cloud computing has unprecedented potential to deliver greater business agility and flexibility while lowering IT costs. » Availability: Cloud providers promise certain levels of availability and uptime.COMPLIANCEWEEK. “2012 Global State of Information Security Survey. Inc. et all. “Sizing the Cloud. but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users. 2 Protecting sensitive.” Daryl C. but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users. While businesses can outsource their systems. In an era where corporate governance. It is no surprise that cloud computing is the fastest-growing trend in enterprise technology today—and for the foreseeable future.” April 2011 2 PwC. data privacy and integrity. availability. With third-party assurance. Plummer.COM » 888. Risks with Cloud Computing Some of the risks associated with cloud computing include the following: » Security: In a recent PwC survey. Inc. availability. 2 This is no surprise given the results of our 2012 Global CEO Survey. Inc. data intensive. “Summary Report for Gartner’s Top Predictions for IT Organizations and Users. 62% of respondents who outsource IT say that data security in the cloud is a serious risk. business-critical data is paramount. and compliance. or critical transaction processing to the cloud.600 security and IT leaders.519. Third-party assurance—that is. Forrester Research. In PwC’s 2012 Global Information Security Survey of more than 9. 1 Forrester Research. partners. You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data is accessed by other cloud users or hacked. and regulators—to manage risks. 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service. employees. “15th Annual Global CEO Survey 2012. predicts the global cloud computing market will mushroom from $40. report on. Moving to the cloud can provide unprecedented benefits. predicts that by 2016. but it can mean giving up some control over these risks. companies need transparency into how well cloud providers’ environments address their concerns. 2012 and Beyond: Control Slips Away.7 billion this year to $241 billion by 2020.” January 2012 compliance with regulations. and compliance.

and their own governance boards. Moving to the right cloud provider can help your company save money. while reducing risk and providing the trust and transparency you need? Protecting Against Risks Cloud providers know that businesses have reservations about cloud computing. useful information with enough relevance and detail to help them make decisions and compare providers. provide new services and products to customers. Cloud computing provides very clear benefits. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. WWW. customers are requiring providers to demonstrate compliance with a growing number of traditional standards. » Data privacy: You are obligated to protect customers’ and employees’ personal data—such as social security numbers.519. and credit card numbers—from breaches. » Service level agreements (SLAs): These agreements spell out the provider’s obligations. » Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities. cloud providers are investing great amounts of time.COM » 888. these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider. As a result. and expand as business grows. availability. Finally. The question is: How do you choose the right cloud provider—one that will help you realize business objectives. Cloud providers may offer the following assurances: » Compliance “certifications”: Increasingly. They also want proof that a cloud provider is operating in a way that meets changing regulations and standards set out by government agencies. Exposing customers’ personal information can also result in fines. » AICPA Service Organization Reports: These reports range from addressing a provider’s internal controls as they relate to information processing systems relevant to financial reporting (SOC 1 or SSAE 16) to an assessment covering technology related areas such as privacy. Customers and prospective customers are looking for timely. but their efforts to overcome doubts often fail to inspire the confidence of potential cloud users. Inaccurate or incomplete data coming from a cloud provider’s systems could result in poor forecasting or incorrect public reporting. » Self-assessments: Providers prepare assessments based on their own framework.COMPLIANCEWEEK. you may be subject to fines and penalties for non-compliance.PWC business. confidentiality. Without sufficient data retention and access rights. health information. but they often do not include customer-centric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users. However. your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. Your business may also be subject to regulations or legal processes that require ready access to significant historical data.9200 . However. cloud users need specialized resources to conduct effective audits. they are not objective. and effort into compliance with ISO 27001/27002. primarily focused on security. processing integrity. and security of service providers (SOC 2). the Federal Information Security Management Act (FISMA). but a provider’s need to protect confidential processes can limit the scope of customer audits. PCI Data Security Standards and other standards. resources. the Health Information Portability and Accountability Act (HIPAA). Cloud computing provides very clear benefits. industry groups. generally focused on the documentation of security policies. The amount of comfort you will want to obtain will depend on the risk associated with your cloud adoption. respond more quickly to internal IT needs. Also. Even when these assessments are thorough. these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider.

authorization. They have significant experience working with both technology providers and cloud users on evaluating the risks and controls associated with cloud computing technology. cloud providers may be able to offer a “certification” that alone satisfies your concerns. com) and Cara Beston (cara. Many cloud providers have invested heavily to develop highly secure and available environments. audit. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. Our professionals are recognized throughout the industry for their innovation in analyzing. the fundamental risks are similar to those risks that would have been faced with any IT or business process outsourcing. the most prominent of which is the Federal Risk and Authorization Management Program (FedRAMP).com/structure for further details. ABOUT THE AUTHORS Sharon Kane (sharon. ■ About PwC PwC has been providing professional IT and compliance services for over 100 years. Beginning later in 2012. As broader enterprise adoption of cloud computing technology emerges. you need IT. and should not be used as a substitute for consultation with professional advisors.KNOWLEDGE LEADERSHIP A Cloudy Future The technologies and processes used to deliver cloud computing are evolving. © 2012 PricewaterhouseCoopers LLP. Please see www.com) are partners within PwC’s assurance practice. All rights reserved. as necessary.pwc. but. we actively leverage our diverse institutional knowledge.519. To choose a provider you can trust. experience and solutions to provide fresh perspectives and significant value for our clients. PwC refers to the US member firm. This content is for general information purposes only. With strong industry credentials and more than 163. a Delaware limited liability partnership. evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls. until then. To choose a provider you can trust. While existing compliance and regulatory frameworks were not developed to address the specific risks of cloud. technology. third party assurance may be necessary for you to trust your most valuable asset—your brand—to cloud computing with confidence. evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls. this framework and associated certification may provide commercial companies a foundation of comfort that a cloud provider has been subject to an independent assessment of controls relevant to cloud. which will require having an independent Third Party Assessment Organization perform an initial system assessment and ongoing monitoring of controls. and brand. and may sometimes refer to the PwC network. developing.l. cloud service providers will be able to seek FedRAMP certification. and security professionals you can trust to help you see through the clouds and protect your assets. and continuous monitoring for cloud products and services.COMPLIANCEWEEK. Each member firm is a separate legal entity. Yet every cloud provider is different.000 professionals in 151 countries.pwc.9200 . and there are no established technology or compliance standards specific to cloud.kane@us. While the FedRAMP program is specific to cloud providers seeking to do business with the government. Kane Beston WWW.beston@ us. Emerging control standards are also under development.pwc. As standards evolve. as necessary.COM » 888. and implementing tailored solutions for clients—both within the technology sector and across all industry sectors. FedRAMP is a US government-wide program that provides a standardized approach to security assessment.

To learn more about how PwC can help turn your cloud strategy into business value.pwc. and may sometimes refer to the PwC network. The strategy for the cloud has moved beyond cost reductions. security. The right cloud strategy and execution plan can transform your business. PwC refers to the United States member firm. . All rights reserved.com/us/cloud © 2012 PricewaterhouseCoopers LLP. increase innovation and decrease time to market. It can make your business even more agile and collaborative. and should not be used as a substitute for consultation with professional advisors. Each member firm is a separate legal entity. and controls along with the impact on IT. a Delaware limited liability partnership. Please see www. This content is for general information purposes only. go to pwc. Which suggests the importance of developing and implementing a comprehensive cloud strategy that considers governance.Turning cloud into business value One thing’s for sure.com/structure for further details.

rather than obtaining information from a single source. of course. new threat is potentially going to ateven while pressure mounts to mititack. “This is the future of business. and access while at the same time dealing » State-of-art protection. According to the study. Typically born in the 1990s. and “We need to stop saying ‘no’ and partner with our user community. ance. This new of four essential pillars: —Enrique Salem. yet the related security risks continue to frustrate IT professionals. workforce is “more open. solutions that can move faster than A “lockdown mentality” is not the answer. there are no easy that allows you to understand when a solutions to solve the security risks. Salem offered a list of three questions companies in every industry must think about to move forward: . only 39 percent bile apps is driven by a young generation that has never been have the necessary security controls to address the risks. when and controls.” said Salem. it has to described the need for an “advanced Mark Benioff. in particular. gate those risks. 77 percent said the use of mobile devices in the workplace is » How do we keep track of a subimportant to achieving business obstantially higher volume of online ac“We need to stop saying ‘no’ tivity? jectives. it has to be both. He transformation in our industry. native” generation.” said Salem. According to the survey of more than 4. The new that can help with an ultimate solution. but 76 percent also believe and partner with our user these devices put their companies at risk. “We’re being required to offer more services. and the cloud to solve problems.10 e-Book A Compliance Week publication Improving Data Security for Cloud Computing More challenges face companies looking to mitigate data security risk By Jaclyn Jaeger T he advent of cloud computing and mobile devices has. » Fast remediation.” said Salem. social networking sites.” it comes to adopting necessary security controls and enThat push for access to social media platforms and moforceable policies.” said Salem.” said social versus secure. great progress is being made toward getting them solved. one that recognizes threats with more requirements around governance and compliwithout affecting the corporate infrastructure. ent. mobility. and collaborative.000 shares information freely? IT practitioners in 12 countries. the threat can spread across the company.” » Reliable early warning systems Symantec At the same time. however. world of doing business means enabling interconnectivity. digital natives have never known a time before the Internet or mobile devices. dramatically changed the way employees access. » How do we manage online identities when our emIn fact. CEO of Salesforce.” persistent protection” plan made up Francisco in February. tied to a desktop system. While security problems still abound. Digital natives readily turn to their mobile devices. com at the RSA Conference in San be both. compliance. “If we can’t answer these quescommunity. use. This new world cannot be a choice between » A response plan that includes enforcement officials social versus secure. a recent “Global Study on Mobility Risks” ployees maintain dozens? conducted by the Ponemon Institute reveals the degree to which mobile devices are circumventing enterprise securi» How do you protect information when the workforce ty and policies.” said Symantec CEO Enrique Salem at the conference. has forever changed the Part of the problem is that employees don’t always fol- way companies conduct business. transparChief Executive Officer. such as a search query. This new world “We are going through a massive tions. it will be a barrier to the new cannot be a choice between world of business. Companies still have a long way to go. Salem described how the “digital and only 45 percent have enforceable policies. and share information. as well as allowing for “strong governance.

president of Websense. . which sponsored the study. 77% 76% 0. so that it is as close to single sign-on as possible. Companies already have available the tools they need to achieve greater visibility. “These devices open the door to unprecedented loss of sensitive data. said Salem. their companies experienced an increase in malware infections as a result of insecure mobile devices in the workplace. and forced control via the network. which is a serious concern. 59 percent of respondents report that employees circumvent or disengage security features. also spoke at the RSA event. and passwords are not always effective at stopping advanced malware and data theft threats from malicious or negligent insiders. During the past 12 months.” Traditional static security solutions such as antivirus. but flexible enough to work across a variety of platforms.0 0. context aware. or is it clean? Where is that device connected from. smartphones. and they need to establish and enforce security practices and policies. “As mobile devices become more pervasive and more employees bring their own smartphones and tablets to work.” Young added. even the strong ones. “Today we can access standard language that is directly embedded in routers and switches that automatically enforces our policies. “This replaces that one size first all policy that most organizations are using today. chairman and founder of the Ponemon Institute. on corporate and personal mobile devices. added Salem. including laptops. and cloud audit trails need to be set up and monitored.4 1. firewalls. In fact. with another 25 percent unsure if they have or not. are easily compromised.” said John McCormack.” The study indicates that companies often don’t know how and what data is leaving their networks through non-secure mobile devices. USB devices.” said Tom Clare. Christopher Young. Employees’ access to accounts also should be disabled after they leave the company. 51 percent of those companies experienced data loss resulting from employee use of insecure mobile devices.0 39% 0% 10% 20% 30% 40% 50% 60% 70% 80% Source: Ponemon Institute. senior vice president at Cisco Systems described the need for more effective firewalls that can track data as it enters and leaves a company’s systems. And the continued migration to mobile devices will only make matters worse. and when? » » » “What makes all this context power is that now legitimate users can safely get access to the resources that they need on your network. “Tablets and iOS devices are replacing corporate laptops as employees bring-their-owndevices to work and access corporate information. Fifty-nine percent of respondents reported that over the last year. Data that leaves the cloud should automatically be tagged. “our only way forward as an industry is to deliver increasingly granular. IT is being challenged like never before. My organization has the necessary security controls to mitigate or reduce the risk posed by insecure mobile devices. Authentication of data also needs to be altered. senior director of product marketing management of security provider Websense.11 low the controls and procedures.” said Larry Ponemon. The use of mobile devices in the workplace represents a serious security threat. such as passwords and key locks. said: » How is that device connected—via Ethernet or wireless? What’s the device: a PC.” Administrative burdens on users also must be reduced. “In a world where uses are bring their own devices to work and where user names and passwords.6 0. iPhone? What is the posture of that device: Is it infected.” said Young. By doing so. the network can determine several factors.2 0.” said Young. which increase rates of malware infections. and tablets. iPad. “It’s clear that employees are deliberately disabling security controls. IT needs to be concerned about the data that mobile devices access and not the device itself. who The employees’ use of mobile devices in meeting business objectives is essential or very important.8 0.” ■ MOBILE DEVICE RISK Below is a chart from the Ponemon Institute study that shows respondents’ perceptions about the use and risks of employees’ mobile devices (strongly agree & agree responses combined): T New Security Tools o prevent security threats. “They need to immediately protect data. a data security firm.

1 Organizations are accelerating their uptake of cloud services. 2. 2 New Opportunities for Business 1 Source: Gartner EXP Worldwide Survey (http://www.COMPLIANCEWEEK. and pay-per-use pricing models for greater flexibility and agility.519. and by highlighting the ways in which SSL from a trusted certificate authority can help enterprises conduct business in the cloud with confidence. oversight and access controls to enforce administrative delegation.gartner. New Security Challenges for IT Despite the clear economic benefits of using cloud services. achieves exponentially greater economies of scale by providing a standardized set of computing resources to a large base of customers. and it is critical to make sure hosting providers can guarantee complete data segregation for secure multi-ten3 Source: IDC eXchange (http://blogs. Data segregation – Most public clouds are shared environments. and should ensure their providers are ready and willing to undergo audits. For the enterprise. and the conversation around adopting cloud technology has progressed from “if” to “when. 3. HErE comES tHE cloud Some people believe cloud computing is the most significant paradigm shift since the advent of the internet.idc. on-demand capacity with self-service provisioning. cloud services offer lower IT capital expenditures and operating costs. jsp?id=1389313) 4 “Assessing the Security Risks of Cloud Computing” (http://www.gartner. 2008.com/ie/?p=730) r Eady or Not.com/it/page. 4. An IDC survey of IT executives reveals that security is the #1 challenge facing IT cloud services. com/DisplayDocument?id=685308) Gartner. technology) to deliver the promise of cloud computing to the enterprise. But one thing is for certain: cloud technology is quickly rising to the top of every CIO’s priority list.KNOWLEDGE LEADERSHIP Choosing a Cloud Provider With Confidence SSL ProvideS a Secure Bridge to the cLoud E xEcutivE Summary Cloud computing is rapidly transforming the IT landscape. in turn. WWW. but they also pose significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations. Data location – When selecting a hosting provider. Regulatory compliance – Enterprises are accountable for their own data even when it’s in a public cloud. June 3.COM » 888. More specifically.com/it/ page. These cloud services offer enormous economic benefits. Others think it’s just a fad. SSL is the solution for securing data when it is in motion. The service provider.” Enterprises are showing strong interest in outsourced (“public”) cloud offerings that can help them reduce costs and increase business agility. Many cloud service providers can deliver the security that enterprises need and SSL (secure sockets layer) certificates are part of the solution. and industry analysts such as Gartner Research estimate that enterprises around the world will cumulatively spend USD $112 billion on cloud services over the next five years. 3 Gartner Research has identified seven specific areas of security risk4 associated with enterprise cloud computing.gartner. compliance and data privacy have slowed enterprise adoption.9200 . Access privileges – Cloud service providers should be able to demonstrate they enforce adequate hiring. concerns about security. Many enterprise hosting providers are already well positioned in the market and have the core competencies (people.jsp?id=1283413) 2 Source: Gartner Research (http://www. it’s important to ask where their datacenters are located and if they can commit to following specific privacy requirements. processes. and recommends that organizations address several key issues when selecting a provider: 1. The goal of this white paper is to help enterprises make pragmatic decisions about where and when to use cloud solutions by outlining specific issues that enterprises should raise with hosting providers before selecting a vendor. Most organizations cite cost savings as the most immediate benefit of cloud computing.

7.COM » 888. Plus. How Does SSL Work? An SSL certificate contains a public and private key pair as well as verified identification information. is establishing that a specific server and domain can be trusted. SSL is the standard for establishing trusted exchanges of information over the internet. secure network access to it is important. SSL delivers two services that help solve some cloud security issues. When a browser (or client) points to a secured domain. SSL encryption keeps prying eyes from reading private data as it is transmitted from server to server and between server and browser. that data WWW.519. 6. any trust over the internet simply would not be possible. from and around the cloud. the server shares its public key (via the SSL certificate) with the client to establish an encryption method and a unique encryption key for the session. is likely to move around between servers in the cloud when the service provider performs routine management functions. possibly even more important. If an enterprise keeps its data in the cloud. An SSL certificate can authenticate that a specific server and domain do belong to the person or organization that it claims to represent.COMPLIANCEWEEK. The client confirms that it recognizes and trusts the issuer of the SSL certificate.9200 . they must manage all these issues across multiple operators. Without the ubiquity of SSL. This benefit requires that the hosting provider use SSL from a third-party Certificate Authority (CA). is known as the “SSL handshake” and it can begin a secure session that protects data privacy and integrity. and security skills. To reap the benefits of cloud computing without increasing security and compliance risks. and enterprises should ask hard questions about the portability of their data to avoid lock-in or potential loss if the business fails. enterprises must ensure they work only with trusted service providers that can address these and other cloud security challenges. 5. SSL helps to secure it. Whether data is moving between server and browser or between server and server. This complexity of trust requirements drives the need for a ubiquitous and highly reliable method to secure your data as it moves to. What’s more. when enterprises move from using just one cloud-based service to using several from different providers. based on a sophisticated backend architecture laced with checks and double-checks for security. This process. each with different infrastructures. SSl ProvidES a B ridgE to SEcurE data iN tHE cloud SSL is a security protocol used by web browsers and web servers to help users protect their data during transfer.GEOTRUST ancy. Monitoring and reporting – Monitoring and logging public cloud activity is hard to do. Business continuity – Businesses come and go. The second benefit. operational policies. First. Data recovery – Enterprises must make sure their hosting provider has the ability to do a complete restoration in the event of a disaster. so enterprises should ask for proof that their hosting providers can support investigations. SSL comes into play anytime data changes location.

the enterprise will be held liable for data security and integrity even if it is outsourced. a proper implementation of SSL can secure sensitive data as it is being transmitted from place to place in the cloud. this step can be missed: some browsers will misinterpret an incomplete CRL review as a confirmation that a certificate is not on the revoked list. Since the enterprise IT manager cannot rely solely on the cloud provider to meet these requirements. However.COMPLIANCEWEEK. to the Payment Card Industry Security Standard (PCI-DSS). requires that the browser download the most current revocation list from the certificate authority and check the list itself to see if the certificate appears in the list. the organization is still responsible for maintaining compliance with SOX. that scenario is fundamentally changed: the cloud service provider controls where the servers and the data are located. 128-bit session encryption (or. In the rare case that an SSL certificate has been compromised in some way. the SSL certificate is checked against a current database of revoked certificates. the certificate authority answers yes or no. the handshake may commence. third-party SSL certificates can legitimately deliver ownership authentication. Online Certificates Status Protocol (OCSP) and Certificate Revocation List (CRL). CRL. In a cloud environment.9200 . In such a scenario. As a result. businesses are burdened with a slew of regulations. which affects any company accepting payment cards. The Online Certificate Status Profile (OCSP) standard is considered the more reliable method by many because it is always up-to-date and less likely to time-out due to network traffic. Encryption Businesses should require their cloud provider to use a combination of SSL and servers that support. Requiring a commercially-issued SSL certificate from a third-party Certificate Authority that has authenticated the server makes it virtually impossible to establish a rogue server that can infiltrate the cloud provider’s environment. the SSL certificate issued to that device will be valid for a defined length of time. When it comes to secure and confidential data. Only independent.COM » 888. and between cloud provider servers and end users on browsers. These range from laws like the Sarbanes-Oxley (SOX) Act which affects only public companies. SSL certificates that rely only on the CRL standard are less desirable because in instances of high amounts of network traffic. There are currently two standards used for this validity check. to the federal Health Insurance Portability and Accountability Act (HIPAA) which affects any businesses with even the remotest possibility of touching patient data. PCI. With traditional onsite storage. HIPAA and any other applicable regulations – and possibly more depending on where the servers and the data are at any given moment. Authentication Businesses also should demand that server ownership be authenticated before one bit of data transfers between servers. a rogue server could use a revoked certificate to successfully Facilitating Regulatory Compliance Next are the regulatory compliance risks. there is a fail-safe check to verify that the certificate has not been revoked in the time since it was originally issued. With OCSP a query is sent to the certificate authority asking if this certificate has been revoked.519. In Europe there is the EU Data Privacy Directive and Canada has an equivalent Personal Information Protection and electronic Documents Act (PIPEDA). on the other hand. consequently completing a handshake and initiating a session based on a revoked SSL certificate. If the answer is no.KNOWLEDGE LEADERSHIP Ensuring Data Segregation and Secure Access Data segregation risks are ever-present in cloud storage. This way their data is secured with industry-standard levels of encryption or better as it moves between servers or between server and browser. at minimum. the business owner controls both exactly where the data is located and exactly who can access it. Self-signed SSL certificates provide no authentication. When an organization outsources IT to a cloud service provider. the stronger 256-bit encryption). preferably. Every time an SSL session handshake is initiated. WWW. Certificate Validity Once a server and domain are authenticated. preventing unauthorized interceptors of their data from being able to read it. the enterprise must require the cloud provider to seek some compliance oversight.

safeguards data in the case of a disaster. To prevent data loss. but the host has a problem with the site’s SSL certificate. The cloud vendor’s security is only as good as the reliability of the security technology they use. SSL adds an extra layer of protection to the backup and recovery process for a business. ensuring that data accessed from backup or duplicate servers is encrypted in transit and that servers being uSiNg SSl to EStaBliSH aNd maiNtaiN truSt iN tHE cloud Using a cloud service provider requires a high level of trust and confidence. SSL encryption thwarts accidental disclosure of protected or private data as regulatory due diligence and data access is automated. Other Areas Where SSL Can Help The enterprise needs to know how their cloud provider. cloud hosts will attempt to recover data from backup servers. as long as the cloud provider requires trusted authentication and encryption on all their servers through SSL from a certificate authority following such a practice. Additionally.1. Feature upgrades such as permission modifications. And it should require a rigorous authentication process. Businesses must insist upon a critical reliability equation to establish trust. cloud service providers should maintain backup data repositories.” according to Gartner. and network changes also can affect compliance. technological changes to the cloud computing environment can unknowingly whittle away at the compliance of a cloud computing provider’s customer. with servers around the globe. July 2010. SSL encryption renders all sensitive data useless to any third party intercepting or viewing it.COMPLIANCEWEEK. data from backups or duplicates.Cloud computing providers who refuse to undergo external audits and security certifications are “signaling that customers can only use them for the most trivial functions. the enterprise IT organization should also demand the following security requirements for the cloud provider’s SSL security: WWW. Will that user ignore the browser warning and click through to complete a transaction on a seemingly-untrustworthy site? Not likely. So. Alternately. In addition. Keeping Data Away from Undesirable Locations SSL addresses the third area of risk. But if a cloud provider uses SSL to encrypt data as it changes places. an enterprise will know that the cloud provider isn’t storing their data on IT hardware in these countries. missing or broken SSL can destroy trust instantly. new capabilities.COM » 888. So. in the same manner.9200 . Enterprises need to make sure their cloud provider uses an SSL certificate that cannot be hacked. reliable and secure independent Certificate Authority. A user visits the site and is immediately greeted with the alarming “Secure Connection Failed” error or “There is a problem with this web site’s security certificate” message. If a crash happens. Cloud providers should be using SSL from an established. legitimate third-party SSL provider such as GeoTrust or VeriSign will not issue an SSL certificate to a server in an interdicted country such as North Korea and Iran.” and that any business in the cloud has a duty to know if the cloud provider is able to completely restore 5 “Domain 10: Guidance for Application Security V2. Gartner states that “any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to total failure. and how long it will take. For example: suppose an enterprise chooses a cloud provider to host their e-commerce web site. data location. Public clouds are like black boxes: while they enable ubiquitous access to data. they also obfuscate the physical location of the servers and the data.” Cloud Security Alliance. Not All SSL is Created Equal The chain of trust extends beyond the cloud vendor to their security provider.519. Business critical applications cannot rely on trial and error. as with data segregation. and SSL certificates provide a highly visible and immediately recognizable way to accomplish that. introduction of mobile devices. Its SSL should deliver at minimum 128-bit session encryption and optimally 256-bit encryption. an enterprise can be assured that its data will be secure as it moves around the cloud. in addition to making sure the SSL comes from an authorized third-party. 5 Here.

Organization validated certificates offer reliable authentication for the cloud because they validate that the organization claimed to be responsible for the domain or server actually exists. Using EV ensures that the organization’s identity has been verified through official records maintained by an authorized third party. 1. as is the right of that organization to use that domain. the amount of effort put into validating the ownership and control of that server and domain. This type of SSL does not provide the security required by an enterprise. Certificate authorities use a variety of authentication methods to verify information provided by organizations.COMPLIANCEWEEK. the difference lies within the strength of the server and domain authentication— in other words. It is best to choose a cloud provider who standardizes on a certificate authority that is well known and trusted by browser vendors. while maintaining a rigorous authentication methodology and a highly reliable infrastructure. SSL certificates can be issued for validity lengths of up to six years.KNOWLEDGE LEADERSHIP » A Certificate Authority that safeguards its global roots behind layers of industrial-strength security. » A Certificate Authority that maintains a disaster recovery backup for its global roots » Global roots using the strong new encryption standard employing 2048-bit RSA keys. and that the person requesting the certificate is an authorized agent of the organization. Self-signed certificates offer zero authentication to enable encryption. Additionally. but they do not offer the highest level of confidence-building features for the end user. physical and operational existence of the organization is verified. 3. employing multiple levels of electronic and physical security measures. These certificates are not recommended for server-to-browser connections because they do not vet or display the identity of the organization responsible for that domain or server. Domain validated certificates offer only basic authentication because they only confirm that the person applying for the certificate has the right to use a specific domain name.COM » 888. many servers rely on a Debian-based operating system for generating their SSL keys. and that is all. 3. and that the person applying for the SSL certificate for that domain or server is an authenticated representative from that organization. When end users encounter the green ad- WWW.9200 . With EV certificates.com/securityfix/2008/05/debian_ and_ubuntu_users_fix_yo. Enterprises should make sure their cloud provider is not relying on servers nor SSL certificates which may be have been compromised by this flaw. » A chained hierarchy supporting their SSL certificates. Extended validation certificates (EV) are the best choice for server-to-browser connections because they offer the strongest level of authentication and the clearest validation that the connection is secure. so it is possible that SSL with this flaw is still being used. because the issuer vouches for the credential’s authenticity.6 Authentication Generates Trust in Credentials Trust of a credential depends on confidence in the credential issuer. An SSL certificate with this highest level of authentication can uniquely trigger unmistakable identifiers in an end-user’s web browser: a green browser address bar that displays the name of the organization.washingtonpost. These SSL certificates are acceptable choices for server-to-browser connections.html an encrypted exchange of information. and the name of the certificate authority which issued the SSL. There are four levels of authentication for SSL.519. 2. » Secure hashing using the SHA-1 standard to ensure that the content of certificates can not be tampered with. At least one intermediate root in the chain adds an exponential level of encryption protection to prevent attacks to the global root. the legal. The fundamental encryption capabilities of this system were compromised from 2006 to 2008. All enable 6 Source: http://voices.

the GeoTrust design. Knowing that a cloud provider uses SSL from a trusted certificate authority can go a long way toward establishing confidence in that provider’s commitment to safeguarding the data in its possession. GeoTrust.com/sell-ssl-certificates/ strategic-partners. When selecting a cloud service provider. WWW. enterprises must also be very clear with their cloud partners regarding handling and mitigation of risk factors not addressable by SSL. Inc. Inc. About GeoTrust GeoTrust is a leader in online trust products and the world’s second largest digital certificate provider. 350 Ellis Street. reliable and secure independent certificate authority. More than 300. Inc. the GeoTrust logo.com CORPORATE HEADQUARTERS GeoTrust.519. The SSL issuing authority should maintain military-grade data centers and disaster recovery sites optimized for data protection and availability. Contact Us www. Bldg.0240907 Fax +44.203. USA Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 enterprisesales@geotrust. ■ Learn More To find a trusted cloud service provider that meets the criteria outlined in this white paper. and its subsidiaries in the United States and in foreign countries. The SSL certificate authority needs its authentication practices audited annually by a trusted third-party auditor. and other trademarks. All other trademarks are the property of their respective owners.9200 . J Mountain View. Inc. and VeriSign® SSL brands all offer SSL products that meet these requirements. and designs are registered or unregistered trademarks of GeoTrust. Our range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively. V is the preferred choice for hosting applications and services in the cloud. CA 94043-2202. Its SSL should deliver at minimum 128-bit encryption and optimally 256-bit encryption based on the new 2048-bit global root. coNcluSioN: go witH wHat you K Now SSL is a proven technology and a keystone of cloud security.geotrust. service marks. Numerous businesses have reported noticeable uplifts in completed transactions (18 percent on average for VeriSign customers) after deploying Extended Validation SSL. Inc.203. All rights reserved.0240958 sales@geotrust. they have complete assurance that their connection is secure. Thawte®.co.html. Enterprises should consider the seven categories suggested by Gartner when evaluating (and especially when contracting with) cloud computing solutions.000 customers in over 150 countries trust GeoTrust to secure online transactions and conduct business over the Internet. WC2B 4HN. the enterprise should consider the security options selected by that cloud provider.dress bar. For these and other reasons. When an enterprise selects a cloud computing provider. visit http://www.uk APAC SALES OFFICE GeoTrust.com © 2011 GeoTrust.com EMEA SALES OFFICE GeoTrust. 8th Floor Aldwych House 71-91 Aldwych London. United Kingdom Tel +44.GeoTrust. 134 Moray Street South Melbourne VIC 3205 Australia sales@geotrustaustralia.COMPLIANCEWEEK. Cloud providers should be using SSL from an established.COM » 888. And it should require a rigorous authentication process. The GeoTrust®.

a publisher of science and health data. now [the AICPA’s] SOC David Cass. “It’s not just of losing control over one’s data.com. hinge doing processing on your end and put personally identifion the nature of the data and processing a company wants to able information in the cloud. ganization’s appetite for risk.18 e-Book A Compliance Week publication Outlook Improving for Data Security in the Cloud B T cally across Elsevier. who teaches a seminar on cloud computing contracting.0. of other laws and industry standards? The tally of “the cloud’s” principal disadvantages is just If so. vier. ability purview of the Sarbanes-Oxley Act. albeit a lot shorter: data security and com“As the cloud matures.” Barbin adds. ture committee.” not have control over a cloud providproblems are evaporating. Cass says. infrastructure as a service vider in the first place. and new software your end and put personally on application security and good IT offerings is chipping away at data identifiable information in governance. Cass says. “because it looks at things strategiThe cloud provider doesn’t necessarily have to underBy Todd Neff S . says even HIPAA-class Risk Analysis data could be cloud-ready. and platform as ing on certifications to demonstrate their commitment to a service (PaaS). public. ever.” he says. are the fasteststandards. The good news is cloud readiness assessment and a sethat a combination of IT self-awarecurity review. The first hurdle is a big one: Does the proposed cloud application involve what Cass y now. Cass says. where they provide software as a service The risk is also reduced by finding the right service pro(SaaS)—think Salesforce. and hybrid clouds. in turn. agrees. the Payment accounting gains from expensing costs rather than capitalCard Industry Data Security Standard (PCI DSS). making the tranThe cloud readiness the cloud. While exer’s security and firewalls. on the other hand. If you’re curity and compliance implications—which. Elsevier takes the cloud off the table. and many others. on the cloud provider and how good they are. “The move “If you’re doing processing on to the cloud really puts the focus back ness. crypted when it gets there. the valDouglas Barbin. rather Director. howregulated data applications. Elsevier’s default IT position is to think lessen the risk of moving to the cloud. In terms of auditing. It depends on Different types of cloud models have their own data-sewhat you give the public cloud in the first place. Trappler. if it’s encrypted when it gets cations themselves. hosted by the likes of Amazon. and the consequences BrightLine and cloud-security auditor. including SAS 70. a virtual software-development platform. the benefits of cloud computing are familiar: calls “regulated data”—information that falls under the rapid deployment. with the right SLAs in place and he analysis starts with Elsevier’s enterprise architecthe right provider.” he says. says his organization sees the cloud as an opportunity to let Elsevier focus In the Contract on its strengths. Microsoft. managing content and delivering prodervice-level agreements can shore up cloud security and ucts to customers. scalability. as security gets better and there’s pliance. security. PCI DSS 2.” Cass says. are the most economically Center Alliance are also publishing guidance on security attractive. we can revisit some of the Don’t be deceived by imbalance in pros and cons. Computing vendors host private.” he says. which is server-and-storage for hire. Cloud providers are pil(IaaS). assessment resecurity concerns. others. deciding designed with security in mind. ward-thinkers were doing SAS 70. says Thomas “cloud-first” for every application and revert to in-house Trappler. the Health Insurance to focus on the business rather than running data centers. Google. Because you may That’s not to say that data security there. “it used to be that the forgrowing markets. a director at ue (or savings) the cloud can impart. as well-known. or a host izing them. and Public clouds. chief information security officer of Else1 and SOC 2 seem to be more the norm. Brightline what to keep in-house and what to than having to put security around move to the cloud depends on an orthe application. Barbin says. more visibility into the product. savvy dealings with cloud-computing providers. SaaS and IaaS. low startup costs. ISO 20000.” he says. California at Los Angeles. Portability and Accountability Act (HIPAA). the risk is reduced view involves a hard look at the applisition to the cloud much less of a leap of faith. those two drawbacks have cast quite a shadow on Applications passing the first test then go through a cloud adoption. the risk is reduced if it’s ensend to the cloud. director of software licensing at the University of data centers if the cloud looks too risky. of data as cloud-eligible. The Cloud Security Alliance and the Open Data IBM. the list goes on. “the key perts see an increasingly wide range thing is to make sure the application is —Douglas Barbin.

” Holland says. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. » Data Integrity. but you have no way of knowing if the provider has adequately prepared for high usage levels across multiple cloud users. what cloud providers are doing to thwart risk. it is not sufficient to address the full scope of risks associated with cloud computing.19 stand HIPAA per se. » Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities. HIPAA merely says healthcare data must be secure and confidential. Without sufficient data reten- » Self-assessments: Providers prepare assessments based on arbitrary frameworks. Trappler adds. It integrates into existing McAfee security products with the defining philosophy that a company should be able to extend its approach to IT security into the cloud’s SaaS and IaaS environments. penalties or judgments for non-compliance. but a provider’s need to protect confidential processes can limit the scope of customer audits. This is an especially relevant concern for companies considering moving transaction processing to the cloud. and. Greg Brown. » Availability—Cloud providers promise certain levels of availability and uptime. health information and credit card numbers.” Trappler says. a senior analyst covering risk and security with Forrester Research. Brown says. and so forth—that combine to achieve compliance. says Rick Holland. says hosted private clouds. CloudLock. For example. The same is true for data viewed and misused by cloud administrators. Another. “Just because you’re embracing the cloud doesn’t mean you have to invent a new security process. But cloud computing risks go far beyond those relevant to financial reporting. cloud users need specialized resources to conduct effective audits. Even when these assessments are thorough. McAfee’s vice president of product marketing and cloud security. The big names in IT security are playing in the cloud. they are not objective. he says. auditability. Finally. So while the SAS 70 delivers insight. your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. . provides a layer of control and auditability for Google Apps. though he agrees that most organizations will have data they deem too sensitive to put in the cloud. from breaches. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. “HIPAA [compliance] is an end-state. Box. which let you identify dedicated physical servers and storage. Microsoft’s cloud-based Office 365. » Service level agreements (SLAs): These agreements spell out the provider’s obligations. Okta. risks include: in the common tongue) users quickly and across cloud and corporate platforms. and other cloud-based software without the IT department’s—or the compliance team’s—knowledge (let alone consent). such as social security numbers. soon. Inaccurate or incomplete data coming from a cloud provider’s systems could result in poor forecasting or incorrect public reporting. it doesn’t specify how to get that done. or even entire departments. a company can wrap an SLA around a bundle of services—encryption. » SAS 70 reports: These reports address a provider’s internal controls as they relate to information processing systems that support financial reporting. Providers try to address user concerns with: » Security—You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data could be accessed by other cloud users. The CloudLock software addresses a common issue: employees. Once a path to HIPAA compliance is defined. ■ tion and access rights. Vendors are stepping up with new cloud-security offerings. an identity and access management service. report and manage your business.net. are using Google Apps. you may be subject to fines. Source: PwC Whitepaper on Protecting Your Brand in the Cloud (December 2010). Exposing customers’ personal information can also result in fines. “I would dare to say that almost every organization has a lot more of that going on than they think. are the best bet for “audit-sensitive” offerings. too.” Brown says. » Privacy—You are obligated to protect customers’ and employees’ personal data. Also. generally focused on the documentation of security policies. and the benefits of third-party assurance: With cloud computing. McAfee’s Cloud Security Platform is just one example. but they often do not include customercentric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users. physical security. Retention and Ownership—You rely on data to forecast. offers a way to “provision and de-provision” (that means “add and delete” CLOUD COMPUTING RISK ASSESSMENT The following information from PwC explains what risks are associated with cloud computing.