Making Leaders Successful Every Day
May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
by Chenxi Wang, Ph.D.
...
© 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is bas...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
© 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
Fo...
© 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009
How Secure Is Your Cloud?
F...
Forrester Research, Inc. (Nasdaq: FORR)
is an independent research company
that provides pragmatic and forward-
thinking a...
Upcoming SlideShare
Loading in …5
×

How Secure Is Cloud

2,137 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,137
On SlideShare
0
From Embeds
0
Number of Embeds
68
Actions
Shares
0
Downloads
76
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How Secure Is Cloud

  1. 1. Making Leaders Successful Every Day May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? by Chenxi Wang, Ph.D. for Security & Risk Management Professionals
  2. 2. © 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com. For Security & Risk Management Professionals Executive Summary Amid a downturn economy, organizations increasingly look to cloud computing to improve operational efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of the cloud services. An effective assessment strategy must cover data protection, compliance, privacy, identity management, secure operations, and other related security and legal issues. The ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud. table of Contents Cloud Computing Has The Industry Abuzz But What About Security And Privacy? Why Cloud Security Deserves Special Scrutiny Handling Cloud Security Concerns Security And Privacy Dealing With Compliance Other Legal And Contractual Issues recommendations Users Of Cloud Services Should Pay Special Heed To Cloud Security WHAT IT MEANS Cloud Computing Will Change The Role Of IT Security Professionals Supplemental Material NOTES & RESOURCES Forrester interviewed 10 vendor and user companies, including Boeing, Google, Qualys, salesforce.com, The Jericho Forum, Websense, and other end user organizations. Related Research Documents “Businesses Take BC Planning More Seriously” February 29, 2009 ”Future View: The New Tech Ecosystems Of Cloud, Cloud Services, And Cloud Computing” August 28, 2008 “IT Outsourcers Enhance Buyers’Options For Enterprise Managed Security Services” July 7, 2008 May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? A Close Look At Cloud Computing Security Issues This is the first document in the“Secure Cloud Computing”series. by Chenxi Wang, Ph.D. with Jonathan Penn and Allison Herald 2 2 5 10 11 12
  3. 3. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 2 Cloud computing has the industry abuzz Cloud computing is omnipresent today. Many organizations are using cloud applications on a daily basis — Forrester’s Enterprise And SMB Software Survey, North America And Europe, Q4 2008, shows that 21% of software decision-makers are using or piloting software-as-a-service (SaaS), another 26% is considering adopting SaaS.1 Business strategists are eyeing cloud as the next cost- saving and efficiency measure. There is even a movement at the national level: Vivek Kundra, the country’s recently named federal CIO, is being tasked to push the adoption of cloud-based services across the federal IT landscape. The enormous interest in cloud computing can be credited to these tangible benefits: · Operational benefits. A cloud-based infrastructure, with its robust, massively redundant infrastructure, can often provide better uptime and availability. Additionally, because cloud services start with a prebuilt foundation, provide good support for easy provisioning, and allow consistent upgrades, using a cloud service can expedite the launch of new IT projects and can help to speed up innovation. · Financial benefits. The pay-as-you go model, instead of investing capital expenditures upfront, allows greater flexibility in cash flow. This means that companies can scale gracefully according to demand and fund more projects simultaneously, all without having to plan capacity, investments, and personnel a priori. Moreover, your ongoing operational overhead should be lower, as someone else is managing your operations. Taken together, your total cost of ownership using a cloud service should be lower than a traditional on-premise alternative.2 · Better support for collaboration and community computing. Collaboration and community computing allows multisource input and multiparty computing, which is what cloud computing does best. Community computing and collaboration brings benefits that are not attainable with local computation only — an example is cloud-based threat services, such as distributed denial of service attacks (DDoS) or spam detection. A cloud service that has a wide visibility of the Internet traffic would see the onset of an attack more quickly and accurately than any local threat detector. But What about security and privacy? Cloud computing comes in many forms: There are SaaS providers like salesforce.com; platform- as-a-service (PaaS) like Amazon’s SimpleDB; Web services that offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet, such as Yahoo! Maps and Flickr; and even traditional hosting services like those offered by Savvis and AT&T.3 Why Cloud Security Deserves Special Scrutiny Cloud computing differs from traditional outsourcing because in the latter model, it is still very much standalone computing — either you take your server and put in someone else’s data center, or you have a service provider managing your devices. You know exactly where your data/host is and
  4. 4. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 3 what resources, if any, you share with others. Cloud computing decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it’s replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery. Recently, an online privacy group — The Electronic Privacy Information Center (EPIC) — lodged a formal complaint against Google’s security and privacy practices to the US Federal Trade Commission (FTC).4 EPIC’s complaints are centered around three points: 1) Google heavily advertises their security controls to consumers, yet disclaims all responsibilities in their Terms of Service; 2) the “harm” caused by the recent Google Docs privacy breach; and 3) Google’s security and privacy controls are inadequate. While this complaint is targeting Google’s consumer services, some of the specific points, including the Google App privacy flaw, apply to enterprise customers. Many agree that security and privacy represent a strong barrier-to-entry and are top-of-mind for IT organizations considering adopting cloud services. Forrester interviewed close to a dozen vendors and IT users about the security issues for cloud computing. We synthesized those conversations to three main areas (see Figure 1): · Security and privacy. Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) make up the list of security issues for cloud computing. Privacy is another key concern — data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy. One way for customers to evaluate a provider’s security and privacy practices is through auditing, which can help to lend some visibility into the vendor’s internal operations. However, auditing goes against the very grain of cloud computing, which attempts to abstract away the operational details by providing easy-to-use interfaces and APIs. A cloud provider may not allow internal audits, but they should offer provisions for some form of external audits on their infrastructure and network. · Compliance. Users who have compliance requirements need to understand whether, and how, utilizing the cloud services might impact your compliance goals. Data privacy and business continuity are two big items for compliance. A number of privacy laws and government regulations have specific stipulation on data handling and BC planning. For instance, EU and Japan privacy laws demand that private data — email is a form of private data recognized by the EU — must be stored and handled in a data center located in EU (or Japan) territories. Government regulations that explicitly demand BC planning include the Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC), Basel II, Payment Card Industry (PCI), and the UK Contingency’s Act.5
  5. 5. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 4 · Legal and contractual issues. Liability and intellectual property are just a few of the legal issues that you must consider. Liability is not always clear-cut when it comes to cloud services. The same goes for intellectual property (IP). For some services, the IP issue is well understood — the cloud provider owns the infrastructure and the applications, while the user owns her data and computational results. In other cases, the division is not quite so clear. In software mashups, or software components-as-a-service, it can be difficult to delineate who owns what and what rights the customer has over the provider. It is therefore imperative that liability and IP issues are settled before the service commences. Other contractual issues include end-of-service support —when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider’s infrastructure. Figure 1 Cloud Computing Issues Checklist Source: Forrester Research, Inc.45778 Area Topics Security and privacy Compliance Other legal and contractual issues Data segregation and protection Vulnerability management Identity management Physical and personnel security Data leak prevention Availability Application security Incident response Privacy Business continuity and disaster recovery Logs and audit trail Specific requirements (e.g., PCI, HIPAA, EU privacy, Basel II, FFIEC) Liability Intellectual property End of service support Auditing agreement
  6. 6. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 5 Handling cloud security concerns Google’s recent security bug, which led to a population of Google doc users inadvertently sharing their docs with a wider audience than they intended, is but one example of security flaws that could happen with cloud services.6 In 2007, one of salesforce.com’s employees fell victim to a phishing attack, which led to the leak of a salesforce.com customer list. This in turn resulted in another wave of phishing attacks targeting these customers.7 Similarly, payroll SaaS provider Automatic Data Processing (ADP) has also been the victim of phishing attacks. Steve Whitlock from the Jericho Forum said: “Like many others, we see huge potential and benefits for moving into ‘the cloud,’ but we see risks, security issues, and interoperability issues. The community has much work to do to make the cloud a safe place to collaborate.” Security And Privacy Securing your applications or data when they live in a cloud provider’s infrastructure is a complicated issue because you lack visibility and control over how things are being done inside someone else’s network. However, the security concerns that you would have if things were operating on-premise, such as securing infrastructure, applications, and data, should also apply for the cloud services. Because you don’t have the same level of control or access to recourse actions when things go wrong, you need to take extra care in evaluating the vendors’ security and privacy practices. For security and privacy, companies must consider these aspects: data protection, identity management, vulnerability management, physical and personnel security, application security, incident response, and privacy measures. Take data protection, for example: You should engage in these evaluation activities with your vendor: 1) review the vendor’s data protection techniques for both data at rest and data in motion and ensure the strength of cryptosystem (if any) is adequate for your requirements; 2) ensure that the provider has adequate documentation for auditors; 3) review the vendor’s authentication and access control procedure and ask if any third party (e.g., third-party service provider) may have access to the data or infrastructure and how; 4) review the vendor’s architecture to ensure proper data segregation; and 5) if data leak prevention (DLP) is a requirement, review the vendor’s DLP deployment to prevent against insider attacks (see Figure 2).
  7. 7. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 6 Figure 2 Security And Privacy Checklist Source: Forrester Research, Inc.45778 Topic Specific concerns Data protection Vulnerability management Identity management Physical and personnel security Availability • Data segregation - How do you separate my data from other customers? • Data-at-rest protection - Where do you store my data? - Encryption and data integrity - Access control and authentication - Documentation for auditors • Data-in-motion protection - How do you get data from me to you? - How do you transfer data from one place to another? • Data leak prevention capabilities (if applicable) • Can any third party access my data (your service providers) and how? • Can you ensure all my data is erased at the end of service? • Show evidence of your vulnerability management program • How often do you scan for vulnerabilities on your network and applications? • Can I conduct an external vulnerability assessment on your network and how? • What’s your vulnerability remediation process? • Can you integrate directly with my directories and how? - Review the architecture of integration - Ensure it doesn’t create a security risk for my own infrastructure. • If you keep your own user accounts: - How do you secure user IDs and access credentials? - How do you handle user churns (e.g., provision and de-provision accounts)? • Can you support SSO and which standards? • Can you support federation and which standards? • Restricted and monitored access to critical assets 24x7 • If dedicated infrastructure is desired, ensure isolated and ask, how often do you scan for vulnerabilities on your network and applications? • Background checks for all relevant personnel? How extensive? • Do you document employee access to customer data? • Have you gone through a SAS 70 audit,Type I or Type II? Can you share the audit result? • How many nines do you guarantee in the SLA? • What availability measures do you employ to guard against threats and errors? - Do you use multiple ISPs? - Do you have DDoS protection and how? • Provide availability historical data • What is your downtime plan? E.g., service upgrade, patch, etc.? • What is your peak load and do you have enough capacity for such a load?
  8. 8. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 7 Figure 2 Security And Privacy Checklist (Cont.) Dealing With Compliance Regulations, such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), and HIPAA, and industry standards like the Payment Card Industry Data Security Standard (PCI DSS) mandate controls over the operation of infrastructure, systems and the handling of critical data. Cloud computing has the potential of putting compliance at risk, as it requires you to hand over IT controls to someone else and in the process of doing so introduces uncertainties in these aspects: · Business continuity and disaster recovery. You should understand what your vendor’s BC and DR plan is. Make sure that it has proper documentation of its processes, for review and auditing purposes. Whenever necessary, ask for a third-party BC audit. · Logs and audit trails. Logs and audit trails are important for forensic investigation. But since cloud providers often use multitenancy logging, access to logs is not always available. Companies that have investigation and discovery needs should make sure to negotiate access to their logs and audit trails. It is also important for the vendor to produce evidence that the logs are tamper-proof, and that they can keep the logs and audit data for as long as your discovery needs require. Source: Forrester Research, Inc.45778 Topic Specific concerns Incident response Privacy • What is your procedure in handling a data breach? - Can notification occur within a specified time period? - In what format do notifications go out and what info do they contain? • Ensure that the vendor’s incident response procedures do not violate our own incident response requirements. • Ensure that critical data (e.g., payment card number) is properly masked and only authorized individuals have access to the entirety of the data. • Show me how you protect digital identities and credentials and use them in cloud applications. • What data do you collect about me (logs, etc.)? How is it stored? How is the data used? How long will it be stored? • What are the conditions under which third parties, including government agencies, might have access to my data? • Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about my organization? Application security • Do you follow OWASP guideline for application development? • Do you have a rigorous testing and acceptance procedure for outsourced and packaged application code? • What about third-party apps (components) you use in your services? • What application security measures (if any) do you use in your production environment (e.g., application-level firewall, database auditing)
  9. 9. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 8 · Specific compliance requirements. Many companies have their own compliance requirements for service providers, which may include SAS-70 compliance, PCI-certification, ISO 27001, or others. You should gather these requirements as the prerequisite for selecting prospective vendors. For a SAS-70 audit, for instance, you need to differentiate between Type I and Type II audits, as the former is for documented practices and the latter is for tested practices. Companies that are considering contracting cloud services should understand that compliance is ultimately your responsibility. The cloud services are merely a tool; it is your responsibility to select the right tool to help you perform business functions and achieve compliance at the same time (see Figure 3). Figure 3 Compliance Checklist Source: Forrester Research, Inc.45778 Topic Specific concerns Business continuity and disaster recovery • Do you have any DR and BC planning documents and can we review them? - Ensure the procedures are at least as robust as our own. • Can we do a BC audit? • Where are your recovery data centers located? • What service-level guarantee can you offer under DR conditions? Logs and audit trails • Can you accommodate timely forensic investigation (e.g., eDiscovery)? • Can we agree on provisions in the SLA for investigation? - What would we have access to? How? • How long do you keep logs and audit trails? Can you keep them as long as we desire? • Can we have dedicated storage of logs and audit trails, and how? • Show evidence of tamper-proofing for logs and audit trails Specific compliance requirements • Are your data centers under local compliance requirements? If so, which ones? - Does the local compliance requirements violate our own? • Are you SAS-70 compliant (if applicable)? • Are you ISO-27001 compliant (if desired)? • Can you prove that you are compliant for: - California A.B. 21? - PCI? - HIPAA? - Basel II?
  10. 10. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 9 Other Legal And Contractual Issues Legally speaking, data/application in the cloud is not treated the same as data/application in your network. Precedence set in courts, such as Warshak v. US, adopted this position.8 In Warshak v. US, the court opinion stipulates that if “. . . a user agreement explicitly provides that emails and other files will be monitored or audited,” this knowledge can “extinguish his reasonable expectation of privacy.” This decision puts into question what it means to have data “monitored or audited” by a service provider. Does the fact that Google operates on your Gmail content constitute “monitoring”? And if so, do you, as a user, lose your reasonable expectation of privacy? Users need to be aware of these issues: · Liability. The fact that the laws do not treat data in the cloud the same as data on-premise leads to complicated liability discussions. There have been a few regulation and legislative efforts to require service providers to contractually acknowledge their responsibility for protecting the client’s data. The notable examples include PCI 12.8, California’s A.B. 211, and the recent American Recovery and Reinvestment Act (ARRA)’s HITECH provisions.9 But the principle of extending liability to the service provider and their associates is new ground in legislations. In practice, users must approach the liability discussion individually. You need to specify a set of detailed liability conditions and consequences, including any recourse actions and financial compensations, and include them in the negotiated service-level agreement (SLA). · Intellectual property. Another issue that often comes into dispute is intellectual property, which in this case covers the ownership of and rights in data and services placed in the cloud. Using cloud services typically means that you are leaving digital footprints wherever the provider desires, sometimes in far-flung places where you don’t know how information is policed. Recently, Facebook updated its terms of services to stipulate that Facebook has perpetual ownership of the data that users upload to Facebook, even after you discontinue the use of its services.10 To avoid getting into a tangled IP dispute with someone like Facebook, you should work with your legal, compliance, and business staff to first lay out a set of ownership requirements that describes which data, applications, and logs you own and your rights to use them. This should also include the stipulation of rights to use by the cloud provider and any possible third party (see Figure 4).
  11. 11. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 10 Figure 4 Legal And Contractual Issues Checklist R ec o mme n da t i o n s Users of cloud services Should pay special heed to cloud security While cloud computing is able to deliver many benefits, organizations should not jump on the “cloud”wagon without a compelling business driver and a clear understanding of the security, privacy, and legal consequences. Users of cloud services should not automatically assume that you are sacrificing security by moving into the cloud, but at the same time, you should not trust your cloud provider implicitly to deliver security. You can improve your chance of a successful cloud adoption by exercising the following: · Gather legal and regulatory requirements first for a feasibility assessment. Laws and regulations may prevent the use of cloud services — that’s why you need to engage in a feasibility study first. The study should involve any certification requirements (e.g., PCI certified vendor, SAS 70 compliant, etc.), geographical limitations, or possible regulatory requirements against multitenancy. Engage your legal, risk, and compliance officers early on in this process. · Thoroughly vet your provider. Use the checklists included here to narrow in on your“must- have”and“negotiable”requirements. Vendors that fail to meet the“must-have”requirements should be screened out. Deal with gaps in the“negotiable”terms with recourse actions and financial compensations. Pay special attention to operational details that are often obscured by cloud services, such as location of data, events logged, replication method, and infrastructure redundancy. Source: Forrester Research, Inc.45778 Topic Specific concerns Liability • What recourse actions (e.g., financial compensation, early exit of contracts, etc.) can we agree on in the event of a security incident or failures to meet SLA? • What conditions under which . . . ? Intellectual property • Can we stipulate in the SLA that all my data (or applications), including all replicated and redundant copies, are owned by me? Ensure that your service agreement does not lead you to relinquish any IP rights. • Scrutinize the language in the terms-of-service that governs the ownership of and rights to information that you place in the cloud. End of service support • Specify what the cloud vendor will deliver at the end of the service period. - Will data be packaged and delivered back to me? If so, in what format? - How soon will I have all my data back? - Will any remaining copies of data be erased completely from your network? If so, how soon will it happen? • Specify any fees that may incur at the end of the service.
  12. 12. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 11 · Work guidelines and standards into the SLA. Communicate industry standards and guidelines that are specific to your operations to the vendor and incorporate them into the SLA. Ask the vendor to provide definitive evidence, such as industry certifications, to prove that they have the capability to meet these standards and guidelines. · Seek ongoing assurance that your service providers are compliant. When in doubt, ask for audits. You can request an audit of your provider’s infrastructure and applications prior to service commencement, but also periodically afterward to ensure ongoing compliance. A reputable cloud provider should allow reasonable audit requests. Work with your vendor to agree on a set of audits that reveal useful information without being disruptive to the vendor’s infrastructure and operations. · Use a third-party, unbiased cloud assessment service. As an added level of assurance, consider contracting a third-party, unbiased cloud assessment service. When you outsource your operations, most likely you’ll also outsource security expertise.11 This means that you’ll have little skill in-house to do a proper evaluation of cloud services. A third-party evaluation service, such as those offered by Hyperic and HP, may be exactly what you need. Hyperic focuses more on performance and SLA monitoring, while HP’s cloud assurance service focuses more on secure operations. You should look to these assessment functions: 1) security assessment in the form of network/application scans and penetration testing; 2) performance — load testing and login capacity testing; and 3) availability and uptime assessment. W H A T I T M E A N S Cloud computing will change the role of IT Security professionals Today, the security and legal landscape for cloud computing is rife with mishaps and uncertainties. In the long run, however, cloud operators will continue to find economies of scale, not only in their core services, but also in their treatment of security. To take full advantage of the power of cloud computing, end users need to attain assurance of the cloud’s treatment of security, privacy, and compliance issues. To that end, we need an industry with open standards, clearer regulations, and community-driven interoperability. A standards- based approach will make it easier for vendors to support flexibility, agility, and expanded cloud service offerings such as collaboration, and it will also make it easier for customers to evaluate cloud vendors and build trust in its privacy and security promises. With the rising popularity of cloud computing and the emergence of cloud aggregators and integrators, the role of an internal IT security officer will inevitably change — we see that an IT security personnel will gradually move away from its operations-centric role and step instead into a more compliance and requirements-focused function.
  13. 13. © 2009, Forrester Research, Inc. Reproduction ProhibitedMay 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 12 Supplemental MATERIAL Companies Interviewed For This Document Google HP Qualys salesforce.com The Jericho Forum Websense Endnotes 1 In Forrester’s Enterprise And SMB Software Survey, North America And Europe, Q4 2008, when asked “How interested are you in adopting software-as-a-service?”, 21% of respondents indicated they already adopted or were piloting; 26% said they were interested or considering adopting; and 54% said they have no interest at the moment. 2 Information and knowledge management professionals must roll out collaboration applications, particularly if travel budgets are slashed. But in capital-constrained times, the upfront cash outlay and financial risk of on-premise solutions can prevent many projects from being funded. Fortunately, cloud-based collaboration service providers offer a cash-flow-friendly alternative to on-premise installation for projects including email overhauls, wiki workspaces, and Web conferencing. And cash-flow-friendly is a concept that every chief financial officer (CFO) will understand. See the October 29, 2008, “Talking to your CFO About Cloud Computing” report. 3 Strategists at product and service purveyors, big and small, are pondering the right paths to take as a variety of Web and Internet “cloud” technologies and cloud services offerings envelop the market. Three myths are fogging up the options: 1) Cloud service offerings are one large market; 2) cloud equates to virtualization; and 3) cloud providers will compete primarily on price. How should IT vendor strategists sell to or compete with emerging cloud service providers? We cut through the mist to segment the offerings into five cloud services markets. Two of these markets, Web-based services such as Google and software-as-a-service offerings such as salesforce.com, are known markets delivered from the cloud. These combine with three new cloud-infrastructure-as-a-service markets: 1) app-components-as-a-service; 2) software-platform- as-a-service; and 3) virtual-infrastructure-as-a-service. To capture these new cloud service providers as customers, IT vendor strategists must create new business units, evolve existing offerings, and evaluate when to act as a supplier — and when to compete. See the August 28, 2008, “Future View: The New Tech Ecosystems Of Cloud, Cloud Services, And Cloud Computing” report. 4 In the past EPIC has successfully filed a similar action against Microsoft’s Passport service and won fines and concessions. For more information see: “New Privacy Complaint Filed Against Google (And The Cloud),” Search Engine Land (http://searchengineland.com/new-privacy-complaint-filed-against-google- and-the-cloud-16974). 5 Business continuity (BC) planning consists of three critical phases: business impact analysis (BIA), risk assessment (RA), and plan documentation. In our Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008, we found that businesses are taking the time to complete each phase and
  14. 14. © 2009, Forrester Research, Inc. Reproduction Prohibited May 8, 2009 | Updated: August 4, 2009 How Secure Is Your Cloud? For Security & Risk Management Professionals 13 regularly update BIAs, RAs, and plans. This is due in part to the increasing priority that businesses place on BC readiness, but it’s also due to the increasing scrutiny businesses are under from both internal auditors and external parties such as regulatory bodies, strategic partners, and even customers. Security and risk management professionals, particularly CISOs and BC directors and managers, must ensure that their own planning efforts are on par with those of their peers and pay close attention to the areas where businesses are struggling: testing more thoroughly and frequently, involving business owners in the process from start to finish, and ensuring the BC readiness of strategic partners. See the February 26, 2009, “Businesses Take BC Planning More Seriously” report. 6 In March 2009, Google found a bug in its Google Doc application that allowed shared permission without user’s knowledge. Details of the bug and its fix can be found in Google’s support forum at http://www. google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en. 7 In 2007, one of salesforce.com’s employees fell victim to a phishing attack, which led to the leak of a salesforce.com customer list. This incident led to a further Phishing wave targeting these customers. For more details of the incident see, Brian Krebs, “Salesforce.com Acknowledges Data Loss,” The Washington Post, November 6, 2007 ( http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_ acknowledges_dat.html). 8 In 2007’s Warshak v. United States, the circuit court opinion reads: “In instances where a user agreement explicitly provides that emails and other files will be monitored or audited . . . , the user’s knowledge of this fact may well extinguish his reasonable expectation of privacy. Without such a statement, however, the service provider’s control over the files and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy.” 9 ARRA Subsection D, starting at section 13400, stipulates responsibilities of business associates for covered entities in the event of data disclosure. This is new and the precedent for it is California AB 211, section 1, 56.36 (b), which applies disclosure penalties to “any person or entity who has negligently released confidential information or records concerning him or her in violation of this part.” The California law is broader, and the penalty is higher than the federal one, but the principle of extending liability beyond providers and payers is new ground in both. This is the very first time that laws adopted HIPAA security provisions (and the civil and criminal penalties for violating them) to partners and business associates of covered entities as well as the entities themselves. 10 On February 16, 2009, Facebook updated its terms of service to stipulate that the company now has permanent rights to anything users upload to, display on, or created on Facebook, even after they cease to be a Facebook member. After three days of industry outrage, Facebook reverted to its original terms temporarily on February 19. The management team is now working on new terms of service agreement. 11 IT services clients increasingly bundle security services into their comprehensive outsourcing deals with major full-service providers like IBM, Northrop Grumman, and Wipro. Managed security services (MSS) now account for more than $3 billion a year of major service provider revenue, and business growth is accelerating as IT clients continue to sharpen the focus on security. See the July 23, 2008, “IT Outsourcers Enhance Buyers’ Options For Enterprise Managed Security Services” report.
  15. 15. Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward- thinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, consumer insight, consulting, events, and peer-to-peer executive programs. For more than 25 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com. Australia Brazil Canada Denmark France Germany Hong Kong India Israel Japan Korea The Netherlands Switzerland United Kingdom United States Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: forrester@forrester.com Nasdaq symbol: FORR www.forrester.com M a k i n g L e a d e r s S u c c e s s f u l E v e r y D a y For a complete list of worldwide locations, visit www.forrester.com/about. Research and Sales Offices 45778 For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

×