Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity and Information Assurance - Cloud Computing

393 views

Published on

Research paper from 2011 covering the role of Cybersecurity and Information Assurance in enterprise strategy and operational effectiveness.
Idea in Brief:
1. Cybersecurity and Information Assurance is mainly a cost of doing business with the unique opportunity to create significant value by enabling the enterprise to enter markets and use technology that competitors fear.
2. Learn from other disciplines and use existing methodologies to deliver enterprise outcomes.
3. Focus on the end-consumer

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cybersecurity and Information Assurance - Cloud Computing

  1. 1. The University of Sheffield Cybersecurity and Information Assurance Mr Joseph Pindar and Dr Jonathan Rigelsford 7/7/2011
  2. 2. 2 | P a g e Idea In Brief: 1. See Cybersecurity and Information Assurance for what they are: mainly a cost of doing business with the unique opportunity to create significant value by enabling the enterprise to enter markets and use technology that competitors fear. 2. Learn from other disciplines and use existing methodologies to deliver enterprise outcomes. 3. Focus on the end-consumer of products and services as the customer and never consider the enterprise as a customer. 4. Consistently and repeatedly communicate the value of Cybersecurity and Information Assurance throughout the enterprise, using language the listener expects to hear. In addition to the generous support of the ECIIA, the authors would like to thank all those who contributed to the paper, specifically: Paul King (Cisco) for his insight into security programmes in a large enterprise; Peter Hewson (Angerona) for his detailed contribution on certification; Andy Gill (ASE) for the detailed discussion on risk management and strategic alignment; GW for his insight into security in the petro-chemical industry; SG for his contribution surrounding the integration of ITIL and security in the finance industry and finally all those contributors who must remain anonymous. Thank you.
  3. 3. 3 | P a g e Contents 1.0: Introduction.....................................................................................................................................5 1.1: Research Approach......................................................................................................................5 1.2: What is Information Assurance? What is Cybersecurity? ...........................................................6 1.3: Security Frameworks and Governance........................................................................................7 1.4: Paper Structure............................................................................................................................7 2.0: The Enterprise and Cybersecurity....................................................................................................8 2.1: The Enterprise: Operational Effectiveness and Strategy.............................................................8 2.2: Information Assurance and Cybersecurity: The Best of Both Worlds .........................................8 2.3: Information Assurance and Cybersecurity: Competitive Advantage.........................................10 2.4: Achieving Enterprise Strategy Alignment ..................................................................................10 2.5: Information Assurance and Cybersecurity Block Enterprise Success........................................11 3.0: Cloud Computing: The Next Phase of IT ........................................................................................13 3.1: A Concept of Many Definitions..................................................................................................13 3.2: Cloud Implementations and Security Challenges ......................................................................14 4.0: Cybersecurity: Operational Effectiveness......................................................................................15 4.1: Regulatory Compliance and Security Standard Certification.....................................................15 4.2: Question The Unquestionable: Is Antivirus Worth the Cost?....................................................16 4.3: Metrics.......................................................................................................................................18 5.0: Information Assurance and Cybersecurity: Strategic Advantage..................................................21 5.1: Risk Management ......................................................................................................................21 5.1.1: Risk = Probability × Impact..................................................................................................22 5.1.2: Risk = Danger & Opportunity..............................................................................................23 5.2: Communicating Cybersecurity...................................................................................................24 5.2.1: Communicating Cybersecurity to the Boardroom..............................................................25 5.2.2: Communicating Cybersecurity to Front-line Employees ....................................................26 5.3: Analytics.....................................................................................................................................27 5.3.1: What is Analytics?...............................................................................................................27 5.3.2: Intel ROSI Model .................................................................................................................28 5.4: How To Outsource? That is the Question..................................................................................29 5.5: The Value of Information...........................................................................................................30 5.5.1: What is an Intangible Asset?...............................................................................................30 5.5.2: Valuing Information............................................................................................................31 5.6: Where Is My Data? ....................................................................................................................32
  4. 4. 4 | P a g e 6.0: Implementing a Cybersecurity Programme...................................................................................34 6.1: Role of Security in Cisco.............................................................................................................34 6.2: Operationally Effective Desktop Support ..................................................................................34 6.3: Security as a Strategic Value Proposition ..................................................................................35 6.4: Security Analytics.......................................................................................................................35 6.5: Valuing Information and Analytics.............................................................................................35 6.6: Communicating Cybersecurity at Cisco .....................................................................................35 End Note: So, What of the Future?.......................................................................................................36 Bibliography ..........................................................................................................................................37
  5. 5. 5 | P a g e 1.0: Introduction Despite a history of 2500 years1 , Information Assurance and Cybersecurity remain troubled teenagers within the enterprise family. Legislation has forced IT2 and Security Governance into the open; however security departments and professionals are still finding their feet when asked for a consistent and decisive value proposition. Porter, widely held as the founder of modern strategy, developed a paradigm to understand the role of strategy and operational effectiveness in delivering superior enterprise performance.3 Applying this model to Cybersecurity and Information Assurance provides a framework to judge their contribution to a successful enterprise. In this paper we argue that much of Information Assurance and Cybersecurity relates to Porter’s operational effectiveness. However a mature security programme can provide the enterprise with competitive advantages by offering a strategy to outperform rivals and “establish a difference that it can preserve”4 . As the enterprise environments change, it is essential for Information Assurance and Cybersecurity to change. Security professionals must review and rework their position within the enterprise to maintain relevance to the prevailing conditions. Carr stated that “IT Doesn’t Matter”5 because its strategic importance diminished as its ubiquity grew. The latest market iteration and increase in ubiquity is the move to Cloud Computing. This paper uses Cloud Computing to present current issues being faced by Information Assurance and Cybersecurity professionals. Security professionals have failed to inspire confidence throughout the enterprise because of poor communication skills and a failure to correctly identify their customer. Only by effectively communicating the value of Information Assurance and Cybersecurity will security professionals be consulted to contribute to enterprise decisions. The Harvard Business Review made it clear that business professionals consider the role of Information Assurance and Cybersecurity to be broken when it published “Hack Work”6 as a breakthrough idea for 2010. 1.1: Research Approach The approach taken in this paper was to undertake semi-structured interviews with senior security consultants and leaders. The security experts were drawn from a variety of industries including the UK Public Sector, Finance, Petro-chemical and IT Hardware. Based on these discussions, further research was undertaken specifically related to the key trends and issues within the Information Assurance and Cybersecurity arenas. 1 “In The Histories, Herodotus chronicled the conflicts between Greece and Persia in the fifth century BC [...] According to Herodotus, it was the art of secret writing that saved Greece from being conquered by Xerxes” (Singh 2000, p. 4). This ‘secret writing’ is the earliest example of Confidentiality being used to ensure information does not fall into the hands of an enemy. 2 Information Technology 3 Porter (1996) 4 Porter (1996, p. 62) 5 Carr (2003, p. 41) 6 Jensen and Klein (2010, p. 7)
  6. 6. 6 | P a g e From these interviews, five key themes emerged. They are: • Strategic Alignment: How Cybersecurity and Information Assurance interface with other areas of the enterprise is critical to success. • Communication: The importance of effectively communicating the value of Cybersecurity value throughout the enterprise. • Cloud Computing: What is it and how does it impact Cybersecurity and Information Assurance. • Risk Management: Specifically the lack of objective data and the difference in approach compared to other risk management organisations. • Certification: The increased requirement of certification. 1.2: What is Information Assurance? What is Cybersecurity? Information Assurance and Cybersecurity are often used interchangeably. However a consensus has developed that they refer to subtly different disciplines. Unfortunately the extent of the agreement ends there and experts cannot agree how the concepts differ. One school of thought considers Information Assurance to be a subset of Cybersecurity, whilst a second considers the reverse to be the case. Much of the confusion is because of the close similarity of the two subjects and that Cybersecurity is a young and developing discipline. Such is the youth of the subject that the exact formation of the word is inconsistently used with use of ‘Cyber Security’, Cyber-security’ and ‘Cybersecurity’ being common. For the purposes of this paper, the grammatical definition of Cybersecurity as taken from the Oxford English Dictionary will be used: “the state of being protected against the criminal or unauthorized use of electronic data, or the measures to achieve this.” Information Assurance is in contrast a more established discipline with a consistent definition as typified by CESG7 : “Information Assurance is the confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users”8 . Whilst there is considerable overlap between the terms, there are two notable differences. Information Assurance uniquely includes the security of information in non-electronic form, for example the security of hard-copy document storage and transportation. Cybersecurity, in contrast, uniquely considers defending against attacks on computer systems; including control systems, for example those in electricity generation and distribution networks. For the purposes of this paper, Risk Management is considered to be part of both Information Assurance and Cybersecurity. A formulation of risk being the product of probability and impact is used within Information Assurance; however, this paper proposes that other formulations of risk, such as those used in Corporate Finance, offer alternate ways of managing Cybersecurity risk within the enterprise. 7 CESG is the National Technical Authority for the UK. 8 CESG (2010)
  7. 7. 7 | P a g e 1.3: Security Frameworks and Governance From the expert interviews, it was clear that the specific choice between individual security frameworks was not as important as ensuring that a suitable framework was used to ensure structured thinking. No security framework was identified as being markedly superior to others reviewed and there were examples of enterprises successfully implementing each framework. Historically, Amazon have used COBIT9 as a framework and only recently adopted the ISO27000 series frameworks as discussed in section 2.3: Information Assurance and Cybersecurity: Competitive Advantage. Intel, contrastingly, have used OCTAVE10 as a component of the Return on Security Investment (ROSI) programme described in 5.3.2: Intel ROSI Model. The intention of this paper is to highlight current thinking in Information Assurance and Cybersecurity on a range of topics. Through the discussion of these topics insight can be gained and enterprises can adapt their chosen framework as necessary to maintain the strategic alignment of security initiatives. 1.4: Paper Structure In the remainder of the paper, we develop the concept of Information Assurance and Cybersecurity as both operational effectiveness and competitive strategy. In section 2.0: The Enterprise and Cybersecurity, we discuss the position and strategic alignment of Information Assurance and Cybersecurity in the enterprise. Then, in section 3.0: Cloud Computing: The Next Phase of IT we provide a brief overview of Cloud Computing, focusing on two definitions which make up the next two sections of the paper. Section 4.0: Cybersecurity: Operational Effectiveness considers Information Assurance and Cybersecurity as both a cost of doing business and in section 5.0: Information Assurance and Cybersecurity: Strategic Advantage as a strategic proposition. Finally, in section 6.0: Implementing a Cybersecurity Programme we use a case study of Cisco to review the concepts covered within the paper. 9 COBIT is developed by ISACA. 10 OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation, developed by Carnegie Melon University’s CyLab
  8. 8. 8 | P a g e 2.0: The Enterprise and Cybersecurity In this section we discuss Porter and Carr’s contributions to understanding the role of operational effectiveness and strategy in the enterprise. Later sections will use this framework to discuss specific aspects of Information Assurance and Cybersecurity and link them to enterprise objectives. 2.1: The Enterprise: Operational Effectiveness and Strategy To survive, an enterprise must develop products and services that are required by a set of customers. On balance, the income (or funding) generated by the products or services must be greater than or equal to the costs of producing those offerings. Porter recognised the value of both operational effectiveness and strategy for the performance of any enterprise11 . But what is meant by operational effectiveness and strategy? Porter defines operational effectiveness as “performing similar activities better than rivals perform them”12 which can lead to offering lower cost and superior quality at the same time. However competing with rivals purely on operational effectiveness benefits no one. Improvements in methods raise the level of competition everyone must maintain and do not enhance the position of individual enterprises13 . Moreover, in the pursuit of operational effectiveness competition often results in enterprises moving closer together in what Porter describes as “competitive convergence”14 . Strategy, in contrast, “is about being different”15 and limiting the aims of an enterprise. In the IT market NetApp have a tightly focussed strategy and choose to focus exclusively on the manufacture of efficient storage arrays. Hewlett-Packard, in contrast, has a broad strategy and chooses to manufactures servers, laptops and printers in addition to a range of storage arrays. 2.2: Information Assurance and Cybersecurity: The Best of Both Worlds Information Assurance and Cybersecurity mainly contribute to the operational effectiveness of the enterprise in a similar way to Carr’s view of IT16 . However through risk management and advancing the ‘Risk Frontier’, discussed later in this section, Information Assurance and Cybersecurity can create strategic value. Carr argues strongly that IT’s “strategic importance has diminished”17 because of its availability and use in all enterprises. Similarly key Information Assurance and Cybersecurity controls, such as antivirus and firewalls, have been adopted widely by enterprises. Thus the strategic importance of Information Assurance and Cybersecurity must also have diminished. When security professionals buy similar products from a small range of suppliers, the enterprise’s position is no longer unique. In demanding proof of the robustness of security claims from Common Criteria and other review processes security professionals diminish the enterprise’s distinctiveness 11 Porter (1996) 12 Porter (1996, p. 62) 13 Van Valen terms this endless pursuit of maintaining the level of competition the ‘Red Queen Hypothesis’. (Van Valen, 1973) 14 Porter (1996, p. 63) 15 Porter (1996, p. 63) 16 Carr (2003) 17 Carr (2003, p. 41)
  9. 9. further as the number of available solutions is restricted security controls18 inevitably push Information Assurance and Cybersecurity competitive convergence. Much of the investment in Information Assurance and Cybersecurity does not protect the confidentiality of the information, but rather and availability vulnerabilities. Although not the original intention behind the investment, this focus on vulnerabilities matches Carr’s operational effectiveness. The main strategic benefit of Information Assurance and Cybersecurity is to ensure continued safe and compliant operation of the enterprise whilst adopting new technologies and techniques. Wardley20 explains that as IT is commodit important. However adopting new techniques in a bid to gain market share or improved operational effectiveness brings unknown challenges and impacts. How the enterprise responds to these challenges is critical. Stanton21 explains that for a given set of systems the majority of the security events have low impact, as shown in Figure 1: The extreme are events that cannot be predicted and have events. The region between these two classes of security events is the ‘Risk Frontier’. Figure 1: The 'Risk Frontier' redrawn from Stanton 18 Payment Card Industry - Data Security Stan software or programs” to gain certification. PCI Security Standards Council, (2010, p. 5) 19 Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t le focus on vulnerabilities, not opportuinites 20 OreillyMedia (2010) 21 Stanton (2011) 22 Taleb (2010, p. xxii) describes a ‘Black Swan’ event as having three properties: firstly, it is an ‘outlier’ on a distribution – an extremely rare event; secondly, ‘outlier’, human nature makes us concoct explanations for its occurrence 23 BaU – Business as Usual. Stanton (2011) Numberofevents BaU Risk Management as the number of available solutions is restricted. Certifications mandating inevitably push Information Assurance and Cybersecurity into Porter’s Much of the investment in Information Assurance and Cybersecurity does not protect the confidentiality of the information, but rather safeguards the enterprise from more costly and availability vulnerabilities. Although not the original intention behind the investment, this focus Carr’s third “New Rule for IT Management”19 and enhances enterprise The main strategic benefit of Information Assurance and Cybersecurity is to ensure continued safe and compliant operation of the enterprise whilst adopting new technologies and techniques. explains that as IT is commoditised, how an enterprise uses IT becomes increasingly However adopting new techniques in a bid to gain market share or improved operational effectiveness brings unknown challenges and impacts. How the enterprise responds to these explains that for a given set of systems the majority of the security events have low : The 'Risk Frontier' redrawn from Stanton. However a extreme are events that cannot be predicted and have devastating impact, so called “ The region between these two classes of security events is the ‘Risk Frontier’. 'Risk Frontier' redrawn from Stanton 23 Data Security Standard (PCI-DSS) requires the “use and regularly update anti software or programs” to gain certification. PCI Security Standards Council, (2010, p. 5) Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t le focus on vulnerabilities, not opportuinites Taleb (2010, p. xxii) describes a ‘Black Swan’ event as having three properties: firstly, it is an ‘outlier’ on a an extremely rare event; secondly, it carries an extreme impact; finally in spite of it being an ‘outlier’, human nature makes us concoct explanations for its occurrence after the fact. Business as Usual. Stanton (2011) Impact BaU Risk Management 'Black Swan' Events 'Risk Frontier' 9 | P a g e Certifications mandating the use of specific into Porter’s Much of the investment in Information Assurance and Cybersecurity does not protect the more costly integrity and availability vulnerabilities. Although not the original intention behind the investment, this focus and enhances enterprise The main strategic benefit of Information Assurance and Cybersecurity is to ensure continued safe and compliant operation of the enterprise whilst adopting new technologies and techniques. ised, how an enterprise uses IT becomes increasingly However adopting new techniques in a bid to gain market share or improved operational effectiveness brings unknown challenges and impacts. How the enterprise responds to these explains that for a given set of systems the majority of the security events have low However at the other devastating impact, so called “Black Swan”22 The region between these two classes of security events is the ‘Risk Frontier’. DSS) requires the “use and regularly update anti-virus Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t lead and Taleb (2010, p. xxii) describes a ‘Black Swan’ event as having three properties: firstly, it is an ‘outlier’ on a it carries an extreme impact; finally in spite of it being an Events
  10. 10. 10 | P a g e Enterprises respond to the majority of security events via automated systems such as antivirus software and firewalls, often without even noticing. However where an enterprise is positioned relative to the Risk Frontier is down to the Information Assurance and Cybersecurity functions. Only by careful risk management can an enterprise survive operating close to the Black Swan boundary and gain greater rewards than competitors by undertaking more ‘risky’ activities. 2.3: Information Assurance and Cybersecurity: Competitive Advantage Cybersecurity and Information Assurance contribute to the success of an enterprise in an identical way to launching a new product or entering a new market. Porter explains that competitive advantage of an enterprise is the result of “all a company’s activities, not only a few”.24 If done well, Information Assurance and Cybersecurity can boost profitability by aligning to enterprise strategy. Equally if implemented badly or misaligned these activities can damage profits. There is an important distinction to be made between ‘aligning to enterprise strategy’ and the more commonly heard ‘aligning to the enterprise’. By aligning to the enterprise strategy, Cybersecurity and Information Assurance are undertaking activities to deliver outcomes to the enterprise’s customer25 . That is the consumer of the enterprise’s products and services. The only way to serve customers is to produce outcomes that extend beyond the perimeter of the enterprise. Aligning to the enterprise, in contrast, does not deliver the outcomes required and creates an artificial divide between Cybersecurity and Information Assurance professionals and the rest of the business. Hunter and Westerman explain, “if alignment is the goal and the topic under discussion, then the [security] team is in effect showing that it is not focussed on the outcomes that matter.” A good example of Information Assurance and Cybersecurity delivering outcomes to enterprise customers is Amazon Web Services (AWS). A recent survey26 found 43% of respondents felt the risks of Cloud Computing outweighed the benefits. This lack of consumer confidence could stall Amazon’s growth plans for AWS. In responding to this concern, Amazon’s security functions have gained internationally recognised security accreditations27 for AWS in an attempt to prove the security of the system to their customers. What makes this significant is Amazon acceptance of the cost of accreditation. Particularly when Amazon’s cost controls are more stringent than most enterprises. Vance28 explains the extent of the cost controls by describing that the light fixtures in Amazon’s reception area “aren’t fixtures at all but rather collections of extension cords fitted with bulbs”. 2.4: Achieving Enterprise Strategy Alignment Previously we discussed the importance of aligning Information Assurance and Cybersecurity activities with enterprise strategy. But how is this achieved? Moreover, Cybersecurity and Information Assurance initiatives are often designed to change business practices. Thus an understanding of change management is essential to embed the outcomes delivered by security 24 Porter (1996, p. 62) 25 Hunter and Westerman (2009, p. 36) 26 ISACA (2011) 27 Including PCI-DSS Level 1, ISO 27001 and HIPAA certifications 28 Vance (2011, p. 1)
  11. 11. 11 | P a g e initiatives. Looking to other areas of the enterprise, Programme Management and Enterprise Architecture can respond to these requirements. In many organisations, Cybersecurity and Information Assurance have emerged to be significant parts of the enterprise only as a result of regulatory requirements. Information Assurance and Cybersecurity projects have been formed to respond to specific requirements and are not structured to align to an overarching business strategy. Grouping these projects into an “Emergent Programme”29 enables the enterprise to ensure alignment between the individual initiatives and the overarching enterprise strategy. The positioning of Cybersecurity and Information Assurance as an Emergent Programme is consistent with the requirement to focus on outcomes. As the Office of Government Commerce (OGC) describe “Programmes deal with outcomes; projects deal with outputs.”30 Additionally, programme management contains processes and mechanisms to embed the changes necessary to affect the enterprise culture. Whilst the focus of programme management is to deliver outcomes, the role of Enterprise Architecture is to improve cost efficiencies in the implementation of IT systems. Rather than develop solutions to meet the specific requirements of an initiative, Enterprise Architecture uses a common base architecture to deliver all solutions. Ross explains that this architecture is used to implement systems and processes that reflect the enterprise’s “desired level of standardization and integration”.31 Whilst TOGAF32 positions itself as an Enterprise Architecture framework, it is simply a specialisation of more generic programme management methodologies. TOGAF’s Architectural Development Method (ADM) is congruent to the OGC’s Managing Successful Programmes Framework. As discussed previously, the specific variant of programme management framework is not significant to the outcomes delivered. What is important is that a framework is used to maintain a structured approach to the emergence of Information Assurance and Cybersecurity as a critical area of the enterprise for delivering outcomes. 2.5: Information Assurance and Cybersecurity Block Enterprise Success Whilst business change is hard to achieve the task is made more difficult because of the poor reputation of Information Assurance and Cybersecurity within the enterprise. Whether justified, or not, security professionals have gained a reputation for saying ‘No!’ more often than saying ‘Yes!’. Non-security areas of the enterprise believe Information Assurance and Cybersecurity professionals occupy a position of unquestionable expert, owing to the deep technical knowledge required to secure IT systems. Moreover, the perceived reluctance to break through the Risk Frontier has further damaged the reputation of Information Assurance and Cybersecurity. 29 Office of Government Commerce (2007, p. 6) 30 Office of Government Commerce (2007, p. 4) 31 Ross (n.d.) 32 TOGAF – The Open Group Architectural Framework
  12. 12. 12 | P a g e This view of Information Assurance and Cybersecurity blocking enterprise success was further highlighted when the Harvard Business Review chose “Hack Work”33 as one of their breakthrough ideas for 2010. The description of the idea depicts a bank employee socially engineering a database vendor to gain a password and direct access to a database. As a result of bypassing security controls the employee increased his access and became “incredibly productive” and a “hero to the senior execs”34 . Importantly, this perception has the potential to marginalise Information Assurance and Cybersecurity within the enterprise. An example of this marginalisation is sales professionals adapting their techniques to accommodate both IT and security professionals reluctance to adopt Cloud Computing. As Ryden of MarginPro, a pricing service for commercial loans, states “We sell around the technology guys and straight to the business folks.”35 How to effectively communicate the value of Information Assurance and Cybersecurity is discussed further in section 5.2. 33 Jensen and Klein (2010, p. 7) 34 Jensen and Klein (2010, p. 8) 35 Vance (2011, p. 7)
  13. 13. 13 | P a g e 3.0: Cloud Computing: The Next Phase of IT Cloud computing is a hot topic. IBM recently raised its 2015 cloud revenue forecast from $3 billion to $7 billion and is currently experiencing a doubling of revenue, year on year.36 Goodburn and Hill respond to the question ‘What is ‘Cloud’?’ simply with “A business imperative”37 . The ability to access computing, storage and network resource instantly and at very low costs makes the operational effectiveness of adopting Cloud Computing compelling. 3.1: A Concept of Many Definitions What is Cloud Computing? A relatively simple question at first glance; but like much of the IT industry, every expert we interviewed for this paper had a different answer to that question. The most commonly cited definition of Cloud Computing is provided by NIST38 . The main contribution of this definition has been to provide a list of essential characteristics, service and deployment models. The inclusion of “Rapid Elasticity” as an ‘essential characteristic’ is critical to the definition as it differentiates the new concept of Cloud Computing from the ‘co-located server’ market developed in the 1990s. A criticism of the NIST model, however, is that it is written for a technical (IT) audience and fails to provide a concise, ‘elevator-pitch’ definition of the type required by business. Thus the development of more concise definitions has proliferated. Wardley identified sixty-seven different definitions before settling on his own39 . This inability to characterise Cloud Computing has added to its ambiguity and mystique among Cybersecurity, Information Assurance and wider IT professionals. Two definitions that resonate well from a business perspective are: • “Cloud Computing is a transition from IT as a product to IT as a service”40 which typifies the argument that the scales and economies achievable within Cloud Computing are transformational to the enterprise. Moreover, the ability to pay for only what is used changes the provision of IT from a capital cost to an on-demand, per task operating expense. • “Cloud Computing is an outsourcing model”41 which typifies the argument that Cloud Computing is nothing new and the selling of spare capacity within mainframe computers was common place in the 1960’s and 1970’s. Both of these definitions provide useful contexts in which to consider Information Assurance and Cybersecurity. Thus, for the purposes of this paper, both definitions are considered and used in ‘5.0: Information Assurance and Cybersecurity: Strategic Advantage’ to illustrate how Cybersecurity and Information Assurance can contribute to the competitive advantage of an enterprise. 36 Vance (2010) 37 Goodburn and Hill (2010, p. 2) 38 NIST (2011) 39 O’Reilly Media (2009) 40 O’Reilly Media (2009) 41 Stanton (2011)
  14. 14. 14 | P a g e 3.2: Cloud Implementations and Security Challenges The NIST model for cloud computing provides three service models and four deployment models. However in practice, only the Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) service models are the most commonly discussed. The deployment models consider whether a cloud service provider offers services to any member of the public (a Public Cloud) or whether an enterprise has sole use of the cloud (a Private Cloud). SaaS acts as an application service and provides applications that meet specific business requirements, such as managing customer engagement, without the need for the enterprise to maintain the system. In contrast IaaS offers the ability to run arbitrary code on a scalable managed infrastructure, where the consumer does not incur maintenance requirements. A service provider uses virtualisation to offer multiple virtual machine instances on a single server and can offer computational power at costs drastically lower than standard server farms. For example, Amazon AWS offers 142 hours of computing time for $1 based on a Micro Spot Instance located in Virginia, USA42 . Later sections of this paper consider specific topics relating to the security challenges of using Cloud Computing services. ‘Is my data too valuable to release?’ is a common consideration before releasing enterprise data to a Cloud Computing service provider and is considered in section 5.5. Moreover, when releasing data to a Cloud Computing service provider ‘Where is my data?’ both geographically and on which server within the data centre become important. This topic is discussed in section 5.6. In addition to these questions, concerns over the availability of the Cloud Computing providers persist. The concern over the availability of Cloud Computing is a relic of system administrators’ expectations of enterprise-grade servers which are found within enterprise data centres. However as the number of systems increase, the Mean-Time-To-Any-Failure reduces such that in a cloud of 10,000 servers, one server could be expected to fail every few hours43 . Using the common analogy of Cloud Computing being a utility such as electricity, data centre engineers rarely install business critical servers without some form of backup power supply because of the likelihood of supply failure. Thus expecting the utility of Cloud Computing to remain constantly stable is to place unrealistic expectations on the service. As with using an alternative electricity supply, enterprises should consider using several Cloud Computing service providers to maintain availability. Peter Hewson (Angerona), a security expert interviewed for this paper, proposes that using multiple Cloud Computing providers can further enhance security as it ensures the “aggregation of business intelligence”44 by a single provider is avoided. 42 Amazon (2011a) 43 Barroso and Hölzle (2009) 44 Interview, London (2011)
  15. 15. 15 | P a g e 4.0: Cybersecurity: Operational Effectiveness Previously in section 2.2, we concluded that Information Assurance and Cybersecurity mainly contributed to the operational effectiveness of an enterprise. Improvements in operational effectiveness lead to a reduction in enterprise costs and thus an increase in profitability. In this section we consider three topics relating to improving the operational effectiveness of enterprises. They are: regulatory compliance, justifying the cost of common security controls and the use of metrics to effectively measure the performance of enterprise security. 4.1: Regulatory Compliance and Security Standard Certification Keeping enterprise directors out of jail has been a key motivator for senior buy-in to Information Assurance and Cybersecurity within the enterprise. Regulatory compliance requirements are imposed on enterprises as a prerequisite to being in specific markets. Thus groups of competing enterprises have common compliance requirements and must implement the necessary controls with cost efficiency. When gaining regulatory compliance and certification, it is essential to only tackle relevant risks so as not to incur unnecessary expense. Even when enterprises are certified compliant, it does not mean systems are secure, but rather communicates that a minimum standard has been achieved. The scandals of Enron, Tyco and WorldCom started a rush of US security and privacy regulations to reduce fraud. The most prominent piece of legislation from this period is Sarbanes-Oxley (SOX). When working towards regulatory compliance, it is essential to consider the business processes before considering any IT systems or security controls used to deliver the process. Failure to implement this top-down approach in the first year of SOX implementation resulted in an estimated $3 billion of unnecessary costs.45 IT controls made up the single largest category of remedial actions required by enterprises. However, during later analysis, many of these controls were found “not to be direct risks to accurate financial reports and did not result in any material weakness”46 . In addition to how compliance is implemented, it is important to understand which regulations and standards apply. Andy Gill (ASE), a security expert interviewed for this paper, noted the importance of relevant standards being included in contracts. On occasion, “it seems that legal departments have searched Google for ‘security standards’”47 This lack of understanding when buying services can lead to poor operational effectiveness and incurring unnecessary costs. Andy explained that in the worst case he has seen, “the standards were both obsolete and irrelevant”48 . Some enterprises choose not to complete a standard certification process, often in an attempt to avoid costs. However, the enterprises may choose to implement controls they consider to be ‘compliant’ with the standard requirements, without being tested. During the interview for this paper, Peter Hewson (Angerona) warned that this logic is a false economy: “Being compliant is less cost effective than being certified”49 . Central to this concern is the appreciation that the process of certification provides a set of controls and processes which are deemed sufficient to gain 45 Kim, Love and Spafford (2008, p. 50) 46 Kim, Love and Spafford (2008, p. 50) 47 Interview, London (2011) 48 Interview, London (2011) 49 Interview, London (2011)
  16. 16. 16 | P a g e certification. Without independent assessment, security administrators can over compensate with controls and incur unnecessary costs. Security accreditations provide the enterprise with an important misconception: gaining a security certification does not mean a system is secure. Rather it demonstrates that a process has been followed and a minimum standard has been achieved. Thus the enterprise can communicate to suppliers and partners that certain processes have been undertaken and controls are in place. Prior to being the victims of major security compromises, both Heartland Payment Systems and RBS Worldpay were PCI-DSS50 certified and were listed as approved service providers. As a response to the successful compromise of the security systems, Visa revoked the service providers’ certifications51 . A final challenge when seeking to gain security certification is that occasionally mandated controls cannot be applied. Health and Safety is more important than either Information Assurance or Cybersecurity thus can prevent the implementation of security controls as prescribed by security standards. During the interviews for this paper, GW explained a situation that arose during the security certification of an oil refinery52 . In the control room of the refinery there was a single computer that had control over the all systems on the site and had the ability to shut down processing in the event of a safety incident. The standard being applied to the refinery required that all computers must be both password-protected and the passwords must be changed at regular intervals. However in an emergency, safety could be compromised by delays caused by entering passwords, thus passwords were not configured on the system. In this instance other compensating controls were used to prevent unauthorised access to the computer and the certification was validated without the mandated password. 4.2: Question The Unquestionable: Is Antivirus Worth the Cost? As previously discussed, effective cost control is essential to maintain operational effectiveness. Some security standards mandate the use of specific controls53 and require the enterprise to incur the associated cost. However beyond these mandated requirements, Information Assurance and Cybersecurity often seek to replicate controls as ‘best practice’ throughout the enterprise, without considering the cost burden of these actions. Antivirus54 is an example of a protective measure, often used by Information Assurance and Cybersecurity without questioning the rationale. But is antivirus worth the cost? Whilst the threat profile and risk appetite of an enterprise contribute to an organisation specific answer, in general we argue that the cost incurred from blanket use of antivirus is difficult to justify. Selective installation of antivirus, in contrast, provides a cost efficient way of maintaining the availability and integrity of computer systems. 50 PCI-DSS: Payment Card Industry - Data Security Standard 51 Finextra (2009) 52 Interview, London (2011) 53 PCI-DSS explicitly require the “use and regularly update anti-virus software or programs”. PCI Security Standards Council (2010, p. 5) 54 Antivirus is used to cover the range of systems which detect malicious software, such as: viruses, Trojans, Worms etc.
  17. 17. The reason against the blanket use of antivirus is most common type of antivirus deployed within enterprises uses signature detection to identify malicious software. This method of detection further instances of the malicious co encryption and obfuscation techniques to hide malicious software Researchers55 have tested the feasibility of using signatures to identify all possible virus variants using current polymorphic techniques. sooner run out of atoms than attackers run out of decoders” Importantly, the use of polymorphism is widespread in the cybercriminal com virus that uses polymorphism is Zeus. tailored piece of malicious software, each with a unique signature which explains why researchers have detected “70,330 unique vari The challenge Zeus poses antivirus is significant and Malware Samples’ illustrates the detection rate products. As shown, only nine samples (0.5% of those tested) were detected by all of the systems. In contrast, 176 samples (10.0% of those tested) were not detected by over 90% of the antivirus products tested. Figure 2: Antivirus Detection Rate of Zeu 55 Song, et al. (2007) 56 Song, et al. (2007, p. 6) 57 Coogan (2009) 58 Spamhaus, (2011) 176 332 204 0 50 100 150 200 250 300 350 0% 10% 20% NumberofZeuSMalwareSamplesTested(n=1753) % of Antivirus products tested (n = 43) to correctly identify sample as being blanket use of antivirus is, in its current form antivirus does not work. most common type of antivirus deployed within enterprises uses signature detection to identify malicious software. This method of detection use unique strings from known viruses further instances of the malicious code. However to overcome detection, virus writers use encryption and obfuscation techniques to hide malicious software, creating polymorphic software have tested the feasibility of using signatures to identify all possible virus variants g current polymorphic techniques. Unfortunately, the research concludes “we would much sooner run out of atoms than attackers run out of decoders”56 used to hide malicious software. morphism is widespread in the cybercriminal community. virus that uses polymorphism is Zeus. Users of the Zeus Crimeware Toolkit can create their own tailored piece of malicious software, each with a unique signature which explains why researchers have detected “70,330 unique variants”57 . The challenge Zeus poses antivirus is significant and ‘Figure 2: Antivirus Detection Rate of Zeu illustrates the detection rate of 1,753 Zeus samples submitted products. As shown, only nine samples (0.5% of those tested) were detected by all of the systems. In contrast, 176 samples (10.0% of those tested) were not detected by over 90% of the Antivirus Detection Rate of Zeus Malware Samples 58 204 168 145 203 111 141 201 63 20% 30% 40% 50% 60% 70% 80% 90% % of Antivirus products tested (n = 43) to correctly identify sample as being malicious (closer to 100% is better) 17 | P a g e antivirus does not work. The most common type of antivirus deployed within enterprises uses signature detection to identify known viruses to identify However to overcome detection, virus writers use polymorphic software. have tested the feasibility of using signatures to identify all possible virus variants Unfortunately, the research concludes “we would much used to hide malicious software. munity. One prolific create their own tailored piece of malicious software, each with a unique signature which explains why Symantec Antivirus Detection Rate of Zeus submitted to 43 antivirus products. As shown, only nine samples (0.5% of those tested) were detected by all of the antivirus systems. In contrast, 176 samples (10.0% of those tested) were not detected by over 90% of the 63 9 90% 100% % of Antivirus products tested (n = 43) to correctly identify sample as being
  18. 18. 18 | P a g e An alternative way of detecting viruses is to identify anomalous characteristics within software, so called ‘heuristic detection’. This method aims to detect previously unknown viruses by detecting behaviour such as attempting to gain privilege access to sensitive files. Whilst heuristic based detection faces a more tractable problem, testing by Anti-virus Comparative59 demonstrates that the best performing antivirus product was able to detect only 62% of previously unknown malicious software, leaving 38% undetected. Moreover when viruses are detected and remedial actions are implemented, attackers can simply change their methodologies, repackage known viruses and regain access to computer systems60 . The fallibility of antivirus products may lead to a conclusion that it is a cost that does not produce reliable outcomes. However when viewed as a cost efficient method of ensuring the availability of systems and reducing the cost of recovering from known virus infections, the case for using antivirus becomes more balanced. Like an enterprise, attackers seek to be operationally effective and maximise the return for their efforts. Viewed from an attacker’s perspective, Kazanciyan and Glyer exclaimed “Simple is cheap, and still works!”61 Escalation to more advanced techniques only occurs once the impact of simpler techniques has been reduced. Thus two distinct operating models develop: firstly using increasingly sophisticated techniques to attack a specific victim and secondly using less sophisticated techniques to attack an increasing range of victim. The first operating model pushes the limit of antivirus capability and challenges high-threat enterprises such as banks to continually track and counter evolution of attack methods. This dedicated response to attacks is expensive to maintain and is difficult to justify for all but the highest threat industries. However, as a by-product of this costly investment, the results of malicious software research are shared within the security community and provided to antivirus vendors for incorporation in their products. Thus knowledge is transferred from a high-threat, high-capability environment to other environments on a regular basis. The second operating model is more relevant to the majority of enterprises and results in those without antivirus being exploited and incurring recovery costs. The automation of attacks results in the cost of exploitation of an unspecified enterprise being low for the attacker. However the victim enterprise incurs a higher recovery cost for each successful attack. Thus it is more cost effective to use antivirus than attempt to recover from regular attacks. 4.3: Metrics Log files are invaluable when responding to breaches of security. However, the original purpose of these files was for system administrators to manage IT infrastructures and ensure their continued operation. System administrators recognised that by monitoring log files over extended periods, trends emerged and by using certain measures or metrics the number of unscheduled outages could be reduced. Although the predictive use of metrics is common within IT system administration, this technique is not widely used by Information Assurance and Cybersecurity professionals. In contrast 59 Anti-virus Comparative (2010) 60 Kazanciyan and Glyer (2010) 61 Kazanciyan and Glyer (2010)
  19. 19. security professionals often rely on alerts from antivirus products and intrusion detection systems (IDS) to notify that an incident is occurring, despite the Metrics are often collected and analyzed for maintenance reasons Westerman63 propose a second use of metrics investment. Both maintenance metrics control of Information Assurance and Cybersecurity initiat control what you can’t measure” An alert from an antivirus product or IDS been detected. For attacks targeting first enumerate the victims IT systems before attempting to exploit the security. value of metrics is to identify precursor events, rather than focus on the outputs from systems that detect late in the attack cycle. More broadly than these technical maintenance metrics, Lacey suggests t and Safety and considering the bad practices to near misses and on to major incidents. Lacey’s Remodelling of Heinrich's Safety Triangle hierarchy to illustrate the number of detection opportunities available before a major security incident occurs. Beyond the early detection of attacks, maintenance metrics can be used to provide in secure development practices to developers who habitually produce insecure software analysis tool metrics such as “Defects per 1000 Lines of Code” and “ (vulnerabilities per unit of code)” 62 Jaquith (2007) 63 Hunter and Westerman (2009, p. 24) 64 Maintenance metrics use figures to assist in the maintenance of systems. 65 Value metrics use figures to communicate the value of a system’s quality and performance. 66 DeMarco (1982, p. 3) 67 Jaquith (2007, p. 75) rity professionals often rely on alerts from antivirus products and intrusion detection systems (IDS) to notify that an incident is occurring, despite the availability of precursor data. Metrics are often collected and analyzed for maintenance reasons62 ; however, Hunter and propose a second use of metrics to show the value of specific IT and security Both maintenance metrics64 and value metrics65 contribute to the management of Information Assurance and Cybersecurity initiatives and as DeMarco states “You can’t control what you can’t measure”.66 product or IDS is rarely the first time the process of an attack could have targeting a specific enterprise it is well understood that first enumerate the victims IT systems before attempting to exploit the security. to identify precursor events, rather than focus on the outputs from systems that More broadly than these technical maintenance metrics, Lacey suggests taking a lead from Health and considering the bad practices to near misses and on to major incidents. Lacey’s Remodelling of Heinrich's Safety Triangle shows Lacey’s reworking of a Health and Safety hierarchy to illustrate the number of detection opportunities available before a major security etection of attacks, maintenance metrics can be used to provide in secure development practices to developers who habitually produce insecure software as “Defects per 1000 Lines of Code” and “Vulnerability lnerabilities per unit of code)”67 can be used to measure performance on a per Hunter and Westerman (2009, p. 24) Maintenance metrics use figures to assist in the maintenance of systems. Value metrics use figures to communicate the value of a system’s quality and performance. Major Incident 29 Minor Incidents 300 Near Misses Thousands of bad practices 19 | P a g e rity professionals often rely on alerts from antivirus products and intrusion detection systems data. owever, Hunter and to show the value of specific IT and security contribute to the management and DeMarco states “You can’t is rarely the first time the process of an attack could have that an attacker must Thus the potential to identify precursor events, rather than focus on the outputs from systems that aking a lead from Health and considering the bad practices to near misses and on to major incidents. Figure 3: shows Lacey’s reworking of a Health and Safety hierarchy to illustrate the number of detection opportunities available before a major security etection of attacks, maintenance metrics can be used to provide targeted training in secure development practices to developers who habitually produce insecure software. Code Vulnerability Density on a per-developer basis. Value metrics use figures to communicate the value of a system’s quality and performance.
  20. 20. Figure 3: Lacey’s Remodelling of Heinrich's Safety Triangle Metrics can be used to effectively Cybersecurity. However, Information Assurance and Cybersecurity professionals mistakenly attempt to use the same maintenance metrics to communicate value and maintain performance. F example, few areas of the enterprise beyond IT could asse Availability as 93%. Executives are left to ask ‘What business functions were affected by the 7% of time the Firewall was unavailable?’ and ‘What business outcomes were not achiev To effectively communicate the value of Information Assurance and Cybersecurity, it is necessary to “use metrics about quality and price for visible services.” to be directly compared, while enab Hunter and Westerman explain that the focus should be “a best possible price”70 . Moreover, u between business groups and enterprises and manage performance improvements. Figure 4: Value Metrics for Secure Remote Working and Perimeter Protection of metrics that communicate the value of security controls understood by executives. Compiling these metrics for individual Lines explains what the impact of security controls are on th Figure 4: Value Metrics for Secure Remote Working and Perimeter Protection 68 Lacey (2009, p. 51) 69 Hunter and Westerman (2009, p. 45) 70 Hunter and Westerman (2009, p. 21) Security Service Secure Remote Working (Laptop, HDD Encryption & VPN) Perimeter Protection (Firewalls, Email Scanning & IDS) : Lacey’s Remodelling of Heinrich's Safety Triangle 68 ly communicate the value of Information Assurance and However, Information Assurance and Cybersecurity professionals mistakenly attempt metrics to communicate value and maintain performance. F f the enterprise beyond IT could assess the importance and value of . Executives are left to ask ‘What business functions were affected by the 7% of time the Firewall was unavailable?’ and ‘What business outcomes were not achiev To effectively communicate the value of Information Assurance and Cybersecurity, it is necessary to “use metrics about quality and price for visible services.”69 These metrics enable the cost of services to be directly compared, while enabling the enterprise to choose the required level of quality. that the focus should be “achieving the right level of quality at the Moreover, unit costs should be used to further facilitate comparisons ween business groups and enterprises and manage performance improvements. : Value Metrics for Secure Remote Working and Perimeter Protection illustrates the value of security controls for two types of system . Compiling these metrics for individual Lines-of-Business effectively explains what the impact of security controls are on the enterprise. : Value Metrics for Secure Remote Working and Perimeter Protection Hunter and Westerman (2009, p. 45) Hunter and Westerman (2009, p. 21) Cost Metrics •Cost per Laptop •Cost per MB transfered •Cost per Mailbox •# of Mailboxes •Cost per MB transfered Service Level Metrics • Hours of Downtime • Time to Install • Time to Problem Resolution • Performance • Hours of Downtime • Message Delivery Time • Performance 20 | P a g e communicate the value of Information Assurance and However, Information Assurance and Cybersecurity professionals mistakenly attempt metrics to communicate value and maintain performance. For ss the importance and value of Firewall . Executives are left to ask ‘What business functions were affected by the 7% of time the Firewall was unavailable?’ and ‘What business outcomes were not achieved as a result?’. To effectively communicate the value of Information Assurance and Cybersecurity, it is necessary to These metrics enable the cost of services required level of quality. chieving the right level of quality at the nit costs should be used to further facilitate comparisons ween business groups and enterprises and manage performance improvements. illustrates a short set for two types of system in a way easily Business effectively Service Level Metrics Hours of Downtime Time to Install Time to Problem Resolution Performance Hours of Downtime Message Delivery Performance
  21. 21. 21 | P a g e 5.0: Information Assurance and Cybersecurity: Strategic Advantage In the previous section, we discussed the importance of cost control and measurement of performance to ensure Information Assurance and Cybersecurity contribute to the operational effectiveness of an enterprise. However, to consider Information Assurance and Cybersecurity as only a cost of doing business is to underplay the significant value the disciplines can create by safely extending the enterprise Risk Frontier. In this section, we consider the strategic competitive advantages Cybersecurity can offer with particular reference to Cloud Computing. The transition model discussed in section 3.0 is used to consider how Cloud Computing impacts on core security activities of risk management, communicating Cybersecurity and analysing metrics. Risk and risk management are often considered solely the preserve of Information Assurance71 . However, we assert that understanding other definitions of risk already used by the enterprise is of benefit to Cybersecurity. Through this new understanding, different operating models can be used to create operational value for the enterprise. The two definitions of risk are discussed in section 5.1. Information Assurance and Cybersecurity professionals cannot realise the value of these new models without engaging with other areas of the enterprise. For this reason it is essential to consider how to communicate Cybersecurity throughout the enterprise and this is covered in section 5.2. Finally we consider the opportunity to use Cloud Computing to perform analytics and how it enables the enterprise to extend metrics to assess future opportunities in section 5.3. The outsourcing model of Cloud Computing is used to discuss specific challenges which Cloud Computing pose to an enterprise. The overall challenge of outsourcing is considered in section 5.4 and the specific challenges of valuing information and understanding the impact of data location is covered in sections 5.5 and 5.6. 5.1: Risk Management As described in section 2.2, the Risk Frontier describes events that are beyond the scope of business- as-usual security controls, but are predictable in contrast to Black Swan events. Information Assurance and Cybersecurity have the potential to extend the Risk Frontier and undertake activities that are deemed ‘too risky’ by competitors. In return for operating in a more risky environment, the enterprise anticipates a greater return. Risk management is a central pillar of Information Assurance, however to extend the Risk Frontier a broader understanding of risk management is required than is traditionally used by Information Assurance. We contend that these alternate definitions provided by finance and corporate communications offer Cybersecurity professionals the opportunity to enhance the position of the enterprise. Moreover, this broader understanding of risk is essential as Information Assurance “falls into the category of disciplines that have developed risk management in isolation”72 . 71 ISO(2010a) 72 Hutton and Hubbard (2011, p. 1)
  22. 22. 22 | P a g e The most common formula73 used by Information Assurance: ܴ݅‫݇ݏ‬ = ܲ‫ݕݐ݈ܾܾ݅݅ܽ݋ݎ‬ × ‫ݐܿܽ݌݉ܫ‬ is only one of several methods used by enterprises to understand risk. Moreover, this formula guides the enterprise to focus on the negative impact of undesirable events. Risk in finance in contrast considers both positive and negative returns being defined as the variability of actual returns around those expected. Damordaran74 extends this definition and presents the formula: ܴ݅‫݇ݏ‬ = ‫ݎ݁݃݊ܽܦ‬ & ܱ‫ݕݐ݅݊ݑݐݎ݋݌݌‬ This formula makes no attempt at unbiased objectivity, which is often the goal of Information Assurance and Cybersecurity risk management. This view, and its acceptance of subjectivity, is consistent with research showing cognitive bias and emotions prevent humans from being entirely objective in assessing risk. Slovic75 identified there are two fundamental ways in which humans comprehend risk: the ‘analytic system’ and the ‘experiential system’. The ‘experiential system’ being the most common way to respond to risk and is based on intuition rather than formal logic. The second formula provides a different understanding of risk. Used in combination, the formula offers opportunities to develop a more complete risk management strategy than is employed by many Information Assurance and Cybersecurity programmes today. 5.1.1: Risk = Probability × Impact Although this formula is commonly used by Information Assurance, it is the most fragile of the three formulas presented. The original form developed by Roper76 : ݈ܵ݅݊݃݁ ‫ݏݏ݋ܮ‬ ‫ݕܿ݊ܽݐܿ݁݌ݔܧ‬ = ‫ݐ݁ݏݏܣ‬ ܸ݈ܽ‫݁ݑ‬ × ‫݈݅݁݇݅ܮ‬ℎ‫݀݋݋‬ ‫݂݋‬ ‫ݏݏ݋ܮ‬ is often used to understand the relative importance of assets and to communicate the value of potential loss to business leaders. However, as Schneier77 highlights “It’s a good idea in theory, but it’s mostly bunk in practice”78 . In theory, this formula provides the necessary detail to make the judgements required to sell cyber insurance. However, the core of the problem with the formula is a lack of accurate data for either the probability or impact variables. As Geer explains robustly, “the numbers are too poor to even lie with”79 . To overcome this lack of data, Vispoli of Chubb Insurance, is cited as saying the strategy for pricing cyberinsurance is to “price them high and see what happens”80 . Rapidly changing IT environments and the complexity of computer systems make the collection and modelling of consistent risk data difficult to achieve over a long period. However, as Hubbard 73 NIST (2002, p. 1) 74 Damordaran (2008, p.6) 75 Slovic (2004) 76 Roper (1999, p. 15) 77 Schneier (2008) 78 Schneier (2008, p. 1) 79 Geer (2004 cited in Jaquith, 2007, p. 32) 80 Visipoli (2010 cited in Bejtlich, 2010)
  23. 23. 23 | P a g e explains “everything is measurable”81 and the contribution such Diagnostic Metrics could offer the enterprise is significant. In the absence of objective data, this formula often resorts to subjectivity assessments and as Schneier82 explains “the math quickly falls apart when it comes to rare and expensive events”83 . Without a strong base of objective data, it is nearly impossible to defend an opinion and outcomes are based on the degree of influence of each party. Andy Gill (ASE) cited Grimshaw v Ford Motor Co. (1981) as an example of the dangers of incorrectly assigning Asset Values84 . During testing of the Pinto model, Ford identified that in specific types of collision the fuel tank would rupture and ignite because of its position behind the rear axle. In assessing whether to undertake changes to the design which were known to improve the safety of the car, Ford conducted a risk/reward calculation. When calculating the risk of injury Ford valued a life at $200,000 and the cost of a serious injury as $67,000. As a result of these calculations, it was deemed too expensive to modify the Pinto, thus Ford sold the car in the US knowing the danger posed by the fuel tank. Following Grimshaw’s victory in the case, the court awarded punitive damages of $125M to act as a deterrent to future risk/reward calculations. 5.1.2: Risk = Danger & Opportunity Conceptually this formula is more robust, however to overcome the fragility of the previous example it is based on a subjective measure. Damordaran’s concept of risk uses the Chinese symbol for risk which he describes as best capturing the “duality” of risk. Figure 5: Chinese Symbol For Risk 85 The symbol is composed of a “combination of danger (crisis) and opportunity” and for Damordaran “captures perfectly both the essence of risk and the problems with focussing purely on risk reduction”.86 As Farshchi87 identifies, this perspective of balancing “risk and value toward enablement of the business, not to just simplistically reduce risk” contradicts the mindset of many Cybersecurity and Information Assurance professionals. Damordaran’s premise is that as risk is composed of both danger and opportunity, it is not possible to have one without the other. Moreover, when pricing risk in terms of investments, one cannot increase opportunity without accepting an associated increase in danger. Thus, in an enterprise that is seeking to gain either profit or cost saving opportunities to gain operational effectiveness, the level of opportunity available is directly related to the level of danger the enterprise is prepared to accept. 81 Hubbard (2007, p.1) 82 Schneier (2008) 83 Schneier (2008, p. 2) 84 Interview, London (2011) 85 Damodaran (2008) 86 Damordaran (2008, p.6) 87 Farshchi (2010)
  24. 24. 24 | P a g e Consider the two extremes that this concept of risk offers Cybersecurity as operational effectiveness: ‘No security: maximum cost savings’ and at other extreme ‘Total security: no cost savings’: • No security: maximum cost savings. An enterprise decides that no security procedures should be put in place, thus providing the greatest opportunity to reduce cost. However, a Cybersecurity professional would highlight that this exposes the business to increased danger of attack, with an associated drop in system availability and loss of valuable data. • Total security: no opportunity to reduce cost. An enterprise employs every possible security control available and ensures the security to the highest possible standard, incurring the associated costs. If a rival enterprise does not employ the same level of security, then the enterprise looses competitive advantage by unnecessarily incurring costs and reducing profits. Neither of these propositions is wrong; however, neither offers an optimal solution nor represents an intuitively sensible decision. A middle ground is required. Where the middle ground is depends on the individual enterprise. This is the notion of Risk Appetite within the organisation: the level of danger an enterprise is prepared to accept. However, it is not necessary for the enterprise to have a single Risk Appetite; rather it is possible to have varying levels for different lines-of-business depending on the growth strategy for those areas. Both Netflix and H&R Block have extended their Risk Frontier and used Cloud Computing to gain competitive advantage and cost efficiencies (the opportunity) over their competitors. Overcoming security concerns (the danger) has enabled Netflix to be “almost 100% in the public cloud”88 . Similarly H&R Block stores the highest level of sensitive personal data, PCI-DSS Category 1, in the Amazon Web Services Public Cloud89 . These examples have lead Cloud Computing experts to contend that any confidential data can be hosted in the public Cloud90 . 5.2: Communicating Cybersecurity “Executives, like everyone else, see what is brought to their attention.”91 Communication is an essential part of modern business and thus Cybersecurity and Information Assurance. Without communication informed investment decisions cannot be made, budgets cannot be allocated, users cannot be educated on the dangers of the Internet and new security initiatives cannot be launched. If Information Assurance and Cybersecurity fail to communicate effectively with other areas of the enterprise, it can result in managers bypassing them entirely to deliver the enterprise strategy. As Stanton explains, “There are at least two security departments I know of that don’t have a seat at the cloud table.”92 However, how to be effective in communication is often overlooked by Information Assurance and Cybersecurity professionals. In the words of Peter Drucker, the founder of modern management theory: 88 Cockcroft (2011, cited in Reilly (2011)) 89 Cockcroft (2011) 90 Cockcroft (2011) 91 Hunter and Westerman (2009, p. 19) 92 Stanton (2011)
  25. 25. 25 | P a g e “It is the recipient who communicates. The so-called communicator, the person who emits the communication, does not communicate. He or she utters. Unless there is someone who hears, there is no communication.”93 This perspective is contrary to the view often taken by security professionals. As experts discussing complex topics, it is all too easy to start from a position of ‘What do I want to say?’, rather than ‘What does the listener want to hear?’ To communicate effectively it is essential to differentiate the message based on the audience. Not only must one “know what the recipient expects to see and hear”94 , but be aware that “one can communicate only in the recipient’s language or terms”95 . The two extremes of this communication spectrum are the Boardroom and front-line employees. As PwC advise “If you’re not talking ROI96 , the boardroom isn’t listening”97 and Peter Hewson (Angerona), an independent security consultant interviewed for this paper, notes “When it comes to front-line employees, the starting point is always ‘What’s in it for me?’”98 . 5.2.1: Communicating Cybersecurity to the Boardroom Schneier99 represents a vocal majority of Information Assurance and Cybersecurity professionals who consider Return on Investment (ROI) an unsuitable term for use in the context of security. Schneier argues “Security is not an investment that provides a return [...]. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings.”100 However, the root of this argument stems from the view that security controls and measures are, primarily required to safeguard the confidentiality of information rather than ensure the availability of the IT infrastructure as discussed in section 2.2. This approach to the communicating Cybersecurity leads to what Hunter and Westerman term ‘Value Traps’, which prevent security programmes “from delivering value, and prevent the rest of the business from seeing the value delivered”101 . When making investment decisions, the principle aim of the boardroom is to understand whether value for money is being achieved. The use of ROI acts as a transparent and consistent method of understanding and comparing the value of diverse programmes. Thus, communicating Cybersecurity to the boardroom is essentially an exercise in communicating the value of Cybersecurity to the enterprise. As discussed in the previous section, enterprises and individual lines-of-business within an enterprise have different risk appetites. Unit cost metrics enable the value of security measures applied for each risk appetite to be measured and comparisons drawn between the qualities of service provided to each line-of-business and costs baselined between enterprises. Thus, the operational effectiveness of Information Assurance and Cybersecurity is measured and can be effectively communicated through diagrams such as Figure 6: Intel's Unit Cost / Quality Matrix. 93 Drucker (2001, p. 391) 94 Drucker (2001, p. 393) 95 Drucker (2001, p. 392) 96 ROI – Return on Invesment. 97 PwC (2005, p.29) 98 Hewson (2011) 99 Schenier (2008) 100 Schneier (2008, p. 1) 101 Hunter and Westerman (2009, p. 8)
  26. 26. 26 | P a g e Figure 6: Intel's Unit Cost / Quality Matrix 102 5.2.2: Communicating Cybersecurity to Front-line Employees “Security experts frequently refer to people as ‘The weakest link in the chain’”103 . As Beautement, Sasse and Wonham explain “A significant number of security breaches result from employees’ failure to comply with security policies”104 . On preliminary analysis, one could conclude that users are “hopelessly lazy and unmotivated on security questions”105 . However, whilst “one may improve the psychological acceptability”106 of a delay attributed to a security requirement, delays users consider to be excessive lead to the counterargument, “anything that loses time is not good for the business”107 . We propose that these issues arise through the failure of Information Assurance and Cybersecurity professionals to communicate the value of Cybersecurity and answer front-line employees question, ‘What’s in it for me?’. Herley108 argues security “advice offers to shield [users] from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are small relative to the indirect one, they reject this bargain”109 . This situation occurs as a result of two problems: Firstly, because of a lack of compromise data, Information Assurance and Cybersecurity professionals speak 102 Redrawn from Hunter and Westerman (2009, p. 59) 103 Sasse and Flechais (2005, p. 13) 104 Beautement, Sasse and Wonham (2008, p.47) 105 Herley (2009, p. 1) 106 Egelman et al. (2010, p. 9) 107 Beautement, Sasse and Wonham (2008, p.50) 108 Herley (2009) 109 Herley (2009, p. 2) 0.0 1.0 1.25 0.5 0.25 0.5 0.25 Best in class Worst in class Unit cost Best in class Worst in class Quality 7 4 2A 10 6 9 2B 1 7 3 4 8 2A 10 6 5 9 2B 1 5 8 3 E-mail Laptop Desktop PBX+VM Enterprise business computing Engineering computing Flex computing Manufacturing computing Mainframe WAN Computing platform IT products and services
  27. 27. 27 | P a g e of the worst-case risk, rather than the most probable. Secondly, the cost of user effort is underestimated and assumed to be negligible. Herley asserts that this is an “enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour”110 for the US adult online population. The research concludes: “’Given a choice between dancing pigs and security, users will pick dancing pigs every time.’ While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security”111 . To resolve this situation four actions are suggested112 : • Gain a better understanding of the actual harms endured by users • Ensure the cost of any security advice is in proportion to the victimization rate. 113 • Retire advice that is no longer compelling is necessary. • Prioritise the advice presented to users. Beautement, Sasse and Wonham114 approach the topic in a similar way and introduce the concept of a ‘Compliance Budget’ as a measure of individuals’ perception of the costs and benefits of compliance with enterprises security goals. The research concludes that “an individual’s Compliance Budget sets a cap on the effectiveness of security practices they are involved in. [...] once the threshold is crossed, the individual will choose work-arounds motivated by his or her own needs, rather than the more altruistic process of compliance”115 . 5.3: Analytics In section 5.1.1: Risk = Probability × Impact, we discussed the lack of security data within the enterprise and resulting failure of Single Loss Expectancy as a method of communicating the value of a potential loss. One significant exception to this is Intel’s use of Analytics to develop a model for the “Return on Security Investment” (ROSI) in their manufacturing environment116 . Rosenquist estimates that $18M per year of losses is avoided as a result of the application of the model. 5.3.1: What is Analytics? Davenport and Harris define analytics as, “the extensive use of data, statistical and quantitative analysis, explanatory and predictive models, and fact-based management to drive decisions and actions.” Analytics build on the opportunities metrics offer the enterprise, as discussed in ‘4.3: Metrics’. The analysis of metrics (the lower four boxes of ‘Figure 7: Hierarchy of Analytics Extending Reporting and Metrics’) seeks to quantify what has or is happening and where. Analytics seek to extend this to answer questions such as ‘Why is this happening?’ and offer views of the future (the upper four boxes). 110 Herley (2009, p. 9) 111 Herley (2009, p. 11) 112 Herley (2009, p. 10) 113 User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. 114 Beautement, Sasse and Wonham (2008) 115 Beautement, Sasse and Wonham (2008, p. 53) 116 Rosenquist (2007, p. 1)
  28. 28. Figure 7: Hierarchy of Analytics Extending Reporting and Metrics Many large enterprises have found analytics to offer both competitive offer differentiated services to customers of analytics include, Netflix and Google in e telecommunications118 . Analytics often require large datasets and conducting analysis with a ran simulations. Cloud Computing offers a cost efficient way of completing the large number of computations required by analytics. Computing is illustrated by MarginPro, a pricin every $10 million in revenue the company makes off this work, it pays $1,500 in cloud fees to Microsoft.” Moreover, a Northrop Grumman “less than a day to train machine Amazon cloud. 5.3.2: Intel ROSI Model As discussed in ‘5.2.1: Communicating Cybersecurity to the Boardroom security to the boardroom it is essential to use terms that are easily understood, namely ROI. The requirement for the Intel ROSI model was to meet this very requirement and estimate “the return on investment for security programmes that reduce the number of incidents in manufacturing processes”. The development of the model began in 2005 to assist in justifying investment costs, but also to identify best-of-breed products, compare the value of programme 117 Adapted from Davenport and Harris (2007, p. 8) 118 Davenport and Harris (2007, p. 7) 119 Vance (2011, p. 7) 120 Vance (2011, p.6) Optimisation Predictive Modeling Forecasting / Extrapolation Statistical Analysis Alerts: Query / Drill Down Ad-hoc Reports Reports: : Hierarchy of Analytics Extending Reporting and Metrics 117 have found analytics to offer both competitive advantages offer differentiated services to customers, and increased effectiveness of decisions. Significant users of analytics include, Netflix and Google in e-Commerce, Capital One in financial services and O2 in large datasets and conducting analysis with a range of statistical tools and Cloud Computing offers a cost efficient way of completing the large number of computations required by analytics. An example of the economies achievable by using illustrated by MarginPro, a pricing service for commercial loans. Vance every $10 million in revenue the company makes off this work, it pays $1,500 in cloud fees to Northrop Grumman researcher developing a ‘cybersecurity system y to train machine-learning algorithms on more than 1.3 million files Communicating Cybersecurity to the Boardroom’, to effectively communicate security to the boardroom it is essential to use terms that are easily understood, namely ROI. The requirement for the Intel ROSI model was to meet this very requirement and estimate “the return stment for security programmes that reduce the number of incidents in manufacturing processes”. The development of the model began in 2005 to assist in justifying investment costs, but breed products, compare the value of programmes against non Adapted from Davenport and Harris (2007, p. 8) Davenport and Harris (2007, p. 7) Optimisation: What's the best that can happen? Predictive Modeling: What will happen next? Forecasting / Extrapolation: What if the trend continues? Statistical Analysis: Why is this happening? What action is needed? Query / Drill Down: Where exactly is the problem? hoc Reports: How many, often and where? : What happened? 28 | P a g e advantages, by the ability to and increased effectiveness of decisions. Significant users Commerce, Capital One in financial services and O2 in ge of statistical tools and Cloud Computing offers a cost efficient way of completing the large number of achievable by using Cloud g service for commercial loans. Vance119 explains, “for every $10 million in revenue the company makes off this work, it pays $1,500 in cloud fees to cybersecurity system’ took on more than 1.3 million files”120 by using the ’, to effectively communicate security to the boardroom it is essential to use terms that are easily understood, namely ROI. The requirement for the Intel ROSI model was to meet this very requirement and estimate “the return stment for security programmes that reduce the number of incidents in manufacturing processes”. The development of the model began in 2005 to assist in justifying investment costs, but s against non-security
  29. 29. 29 | P a g e initiatives and make data driven decisions. Importantly, a key feature of the model is to make predictive estimates of losses likely to be incurred by not adopting security controls. Intel developed the ROSI model using data from 18,000 computers collected over a two year period (equivalent to over 13 million computer-days)121 , in addition to a variety of other financial and management databases. Using this data, an ‘Impact / Valuation Calculation Engine’ estimates the value of planned security programmes using the following inputs: • Attack Incident Occurrence Data • Business Impact and Outage Data • Business Loss and Cost Data • Risk Mitigation Security Programme Using the earliest data as a baseline to assess three subsequent security programmes, Intel was able to measure a 99% reduction in security incidents and a 396-fold increase in the days between incidents.122 Rosenquist estimates that over $18M is avoided as a result of the security programmes implemented and the model’s predictions have been measured to be 87% accurate. 5.4: How To Outsource? That is the Question. As a method of gaining operational effectiveness outsourcing business functions to cheaper external suppliers “seem[s] like a no-brainer”.123 Cloud Computing can be seen as a continuation of this trend and considered to be a cost efficient method of externalising IT resources to deliver operational effectiveness. Few other areas of business operations have a greater potential to bring Information Assurance and Cybersecurity into conflict with business strategy. However, the speed with which an enterprise can adopt this type of step change in capability is a source of competitive advantage. Like previous iterations of outsourcing, Cloud Computing offers enterprises the ability to realise short-term cost savings, increase revenue per employee and transform fixed costs into a variable, on-demand payment.124 But with the benefits comes a loss of visibility and control. While the impact of this shift on events and security breaches may be at the forefront of Information Assurance and Cybersecurity professionals concerns, the location of information and the shift in employee loyalty from the enterprise to the service provider should also be concerns. Although by outsourcing business functions the enterprise transfers responsibility to deliver secure functions, it does not transfer accountability for any breaches. In 2010, the UK Financial Services Authority (FSA) fined the UK branch of Zurich Insurance Plc £2.275m (€2.74m) for data security failings of an outsourcing supplier which lost the personal details of 46,000 customers125 . The FSA specifically cited Zurich UK’s failure to “ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement” as a 121 Rosenquist (2007, p. 9) 122 Rosenquist (2007, p. 10) 123 Manget and Mercier (2011) 124 Lacey (2010) 125 Financial Services Authority (2010)
  30. 30. 30 | P a g e problem. The lack of “proper reporting lines”126 and suitable incentives resulted in Zurich UK not being informed of the breach by the supplier for a year. Contracts are often the preferred method of ensuring specific business processes and practices are maintained. Importantly the design of incentives within the contract is critical to the security of the outsourced service and is a new area of research. In a departure from the traditional highly technical subjects considered by security researchers, Anderson and Moore used economics and game theory to evaluate contracts in outsourced environments and the security failures resulting from bad incentives.127 Further, Cezar, Cavusoglu and Raghunathan128 devised two ‘optimal’ contracts when outsourcing both security device management and security monitoring to the same service provider. Concluding the use of penalty clauses in contracts to penalise security breaches resulted in the service provider having no incentive to detect errors or breaches. In addition to a comprehensive yet flexible contract, good governance and maintaining lines of communication are essential to successful outsourcing.129 However, where these are available in traditional outsourcing models Cloud Computing does not afford the same degree of control. Peter Hewson (Angerona) explains, “Fundamentally it is the lack of control and visibility of events which deter security professionals from adopting Cloud Computing”130 . As discussed in section 2.3, it is these motivations that have lead Amazon to gain security certifications for the AWS. 5.5: The Value of Information As discussed previously in section 5.1 an accurate understanding of ’Asset Values’ would assist an enterprise to measure risk more effectively. This combined with accurate data on the probability of an event occurring would lead to an objective assessments of risk. Unfortunately, Bader and Rüther131 found that 44.4% of management decisions are made using cost-based valuation models which attribute an unrealistically low value to patents and information. Enterprises have both tangible and intangible assets. The security and value of tangible assets, those that can be touched, are straight-forward to comprehend. Physical security devices such as a strong rooms or vaults have been used for centuries to secure items that are deemed precious or valuable to their owner. Only the physical size of the secure container limits the volume of assets an owner is able to protect. In contrast, the security and value of intangible assets is only a recent development and is far from a developed subject. 5.5.1: What is an Intangible Asset? A range of organisations have produced standards for the valuation of intangible assets, including the International Valuation Standards Council (IVSC)132 and the International Organization for Standardization (ISO)133 . However, for this paper the most common definition from International Financial Reporting Standards (IFRS) is used. The IFRS defines an intangible asset as “an identifiable 126 Financial Services Authority (2010) 127 Anderson and Moore (2007, p. 68) 128 Cezar, Cavusoglu and Raghunathan (2010) 129 Lacey (2010) 130 Interview, London (2011) 131 Bader and Rüther (2009) 132 Guidance Note 4 133 ISO 10668 (ISO, 2010)
  31. 31. 31 | P a g e nonmonetary asset without physical substance.”134 The IFRS identify three critical attributes that all intangible assets must be: identifiable, controlled and be expected to generate future economic benefits. Thus computer software, patents, copyrights and business intelligence all are identified as intangible assets. Centuries of tangible asset valuations have enabled efficient markets to develop and the price of assets such as precious metals are valued on a continuous basis. In contrast, the first valuation of an intangible asset was made by News Corp in 1984 when “Rupert Murdoch’s worldwide publishing empire included a valuation for ‘publishing titles’ in its balance sheet”135 . This was an attempt to reconcile the difference between the price paid to acquire publishing titles (or brands) and the underlying assets. The move to value self-created intangible assets was made in 1988 when Rank Hovis McDougall (RHM) defended a hostile takeover by an Australian food conglomerate. 5.5.2: Valuing Information In both the News Corp and RHM valuations, the intangible assets being valued were the brands. Over the past 27 years, valuation of brands has become a common undertaking for enterprises, and whilst the process remains subjective an understanding of valuation has evolved. However, the valuation of patents remains far from consistent with a variety of different methods being used. Bader and Rüther136 surveyed the top 500 patent applicants to the European Patent Office to understand how patents were valued by the applicants. The survey identified three main approaches to valuation: • Cost-based: using reproduction or replacement cost models. • Market-based: using a validated analogy which has a market price attached. • Income-based: using expected cash flows over the useful life of the asset to estimate current value. Bader and Rüther conclude that of these approaches, the income-based mode offered the most robust method. The weakest method was considered to be the cost-based model as it only provides a ‘minimum price threshold’ and does not consider the value of ‘game changing’ ideas. Figure 8: Monetary Valuation by Business Need reproduces data from Bader and Rüther to illustrate the extent each valuation model is used within the enterprise to make three types of decision. Whilst Accounting and Dispute Resolution activities were found to be most often income-based (Accounting: 42.9%) and market-based (Dispute Resolution: 43.2%), Management Decisions were shown to rely heavily on cost-based valuations (Management: 44.4%). Bader and Rüther’s finding is of concern as it illustrates, even with data available, management decisions routinely use the least effective method which undervalues information. 134 Deloitte Global Services (2009) 135 Penrose and Moorhouse (1989) 136 Bader and Rüther (2009)
  32. 32. Figure 8: Monetary Valuation by Business Need 5.6: Where Is My Data? The location of data both geographically and within the data centre is of concern to enterprises seeking to use Cloud Computing. The geographic location of data presents issues relating to data protection and more complex regulatory compliance. Whilst the location of data within a given data centre provides practical challenges for the security certification of deplo Simply put, if a European enterprise uses a Cloud Computing Service provider based in the US, it is necessary for the enterprise to comply with both US and relevant EU regulations. Whilst increasing costs, in isolation this does not automatically preclude the use of international service providers. obstacle most often cited as blocking approaches which the US and European Union (EU) take different to data privac these differences, the US has established a ‘US to implement controls in line with EU expectations and thus gain access to larger markets. A more subtle issue often overlooked when which disputes are arbitrated. Amazon AWS for example requires that County, Washington state138 . Moreover, Amazon specifically precludes the use of the United Nations Convention for the International Sale of Goods which is commonly used to arbitrate in international sales disputes. Security experts have concerns relating to how it is possible certification. This point was raised by system that I cannot scope?”139 This issue is further complicated as Cloud Computing providers rarely present the exact architecture of their data centre, relying instead on block diagrams to 137 Bader and Rüther (2009) 138 Amazon (2011) 139 Interview, London (2011) 0% 5% Dispute Resolution Accounting Management % of Activity using Cost, Market or Income Valuation Models TypeofActivity Cost Market Income : Monetary Valuation by Business Need 137 The location of data both geographically and within the data centre is of concern to enterprises loud Computing. The geographic location of data presents issues relating to data protection and more complex regulatory compliance. Whilst the location of data within a given data centre provides practical challenges for the security certification of deployment. Simply put, if a European enterprise uses a Cloud Computing Service provider based in the US, it is necessary for the enterprise to comply with both US and relevant EU regulations. Whilst increasing does not automatically preclude the use of international service providers. cited as blocking the use of international service providers is the different the US and European Union (EU) take different to data privacy. To overcome these differences, the US has established a ‘US-EU Safeharbor Framework’ to enable US companies to implement controls in line with EU expectations and thus gain access to larger markets. A more subtle issue often overlooked when buying Cloud Computing services is the jurisdiction arbitrated. Amazon AWS for example requires that all disputes be filed in King Moreover, Amazon specifically precludes the use of the United Nations International Sale of Goods which is commonly used to arbitrate in international s relating to how it is possible scope Cloud Computing was raised by Peter Hewson (Angerona) in the query “How can I accredit This issue is further complicated as Cloud Computing providers rarely present the exact architecture of their data centre, relying instead on block diagrams to 36.4% 24.4% 21.4% 31.1% 20.5% 35.7% 5% 10% 15% 20% 25% 30% 35% 40% % of Activity using Cost, Market or Income Valuation Models 32 | P a g e The location of data both geographically and within the data centre is of concern to enterprises loud Computing. The geographic location of data presents issues relating to data protection and more complex regulatory compliance. Whilst the location of data within a given data Simply put, if a European enterprise uses a Cloud Computing Service provider based in the US, it is necessary for the enterprise to comply with both US and relevant EU regulations. Whilst increasing does not automatically preclude the use of international service providers. The use of international service providers is the different y. To overcome EU Safeharbor Framework’ to enable US companies to implement controls in line with EU expectations and thus gain access to larger markets. is the jurisdiction in disputes be filed in King Moreover, Amazon specifically precludes the use of the United Nations International Sale of Goods which is commonly used to arbitrate in international scope Cloud Computing for security in the query “How can I accredit a This issue is further complicated as Cloud Computing providers rarely present the exact architecture of their data centre, relying instead on block diagrams to 42.9% 43.2% 44.4% 45% 50% % of Activity using Cost, Market or Income Valuation Models
  33. 33. 33 | P a g e illustrate the key components of the system. A rare exception to this is Barroso and Hölzle’s presentation of Google’s design methodology for ‘Warehouse-Scale Machine’.140 It is clear from Google’s methodology that it is not feasible to predict where a specific virtual machine instance will run, both because of load-balancing in the system and the failure tolerant design of the system. As discussed in section 2.3, Amazon has taken the steps to certify the AWS to a range of international security standards. However, it is important to note that the security certifications only apply to the hardware and processes controlled by Amazon. Thus for an enterprise using the Amazon AWS an additional certification for the configuration of the operating system and software applications is necessary. 140 Barroso and Hölzle (2009)

×