Professional Documents
Culture Documents
Cloudy Daze
Steven J. Ross, CISA, Is cloud computing1 really the revolutionary owners and processors of information, the same
MBCP, CISSP, a retired expansion of computing capabilities its lessons must be relearned: transfer of custody
director from Deloitte, is the proponents claim it to be? Or, is it the natural does not equate to transfer of ownership. The
founder of Risk Masters Inc. evolution of outsourcing trends that have been basics of security and control for computing
He can be reached at developing for decades? Is cloud computing more services have never changed:
stross@riskmastersinc.com. secure, or less? • The ownership of the information (and its
Yes. security) remains with the customer.
• The responsibility for executing security is
Plus ca reste la même chose…2 shared between the owner and service provider.
Most of the concerns about cloud computing • The owner of the information bears the
that I have read and discussed center on one responsibility for assuring that the provider
fact: the data and the software no longer reside executes and enforces security over the
in an organization’s data center. It would appear information.
that for many there is an internal calculation that Just because an organization does not own a
possession equals control equals security, but is data center or pay the operators does not mean
this equation meaningful? If the big change in that it loses control over the information and
cloud computing is the disappearance of data software. Reliance on physical controls over
center walls, it is no change at all. the instantiation of information is overrated.
Almost as long as there have been computers Except for backup tapes,3 which present their
there have been services that separate the own challenges, the data are neither tangible
processing of information from the possession of nor portable. Operators as privileged users are
the equipment to do it. In the 1950s, IBM created indeed a concern, but in today’s technology—and
the Service Bureau Corp. (SBC) to run programs tomorrow’s—an operator does not need physical
on SBC’s computers on behalf of corporate access to manipulate the data.
customers. It was some time before the term
outsourcing came into vogue, but Ross Perot’s …Plus Ca Change4
Electronic Data Systems (EDS) was doing just And yet, there are some substantial differences
that, beginning in 1962. The economies available between older forms of outsourcing and cloud
through labor arbitrage drove many companies computing. The most obvious is that information
in the West to outsource information technology is accessed via the Internet, with all that implies
functions to organizations in Asia. Perhaps with regard to confidentiality and integrity. More
the perceptions of the problems with previous subtle, but ultimately demanding more security,
outsourcing efforts have raised fears about is that information technology is transformed into
outsourcing to a cloud computing provider, but a dynamically scalable service, made possible by
they are not new concerns. virtualization. If the promise of cloud computing
Essentially, management’s qualms about cloud is realized, an organization can rapidly expand and
computing can be reduced to two worries: contract the software, infrastructure, network and
• My information is being processed somewhere, storage it uses. The security that is appropriate
but I do not know where. for one set of computing resources, especially
• My information is in the custody of someone, application data, may be inappropriate for another.
but I do not know who. With the context switching rapidly, it is difficult to
Scary to some, perhaps, but not much match security with risk on a dynamic basis.5
different from the fears encountered in another There has been quite a lot written on cloud
generation when the paper files in a desk drawer computing security that does not address this
were translated to invisible bits in a data center contextual change. The focus instead has been on
elsewhere. Each time distance is put between the the security threats that accompany outsourcing: