Home Brazil IT-BPO What Have We Learned About Cloud Security So Far?

What Have We Learned About Cloud Security So Far?

Posted by Garrett O'Brien on 30-Jan-2012 in Brazil IT-BPO, Cloud computing, Cloud security, featured post | 0 comments

This is the first of three articles focused on the development of cloud security since 2008, basically reviewing what have we learned about cloud security so far. The Cloud is taking off, question is — how is security keeping pace with everything in the Cloud? In this first installment, we are going to focus specifically on the statements provided by Garter in 2008. Though the experienced Cloud professional may see where the second installment is heading — I suggest you make your notes and then let’s compare them. Cloud is still a start-up industry, and everyone’s input is needed to mold what the Cloud of tomorrow will look like.

In June 2008, analyst firm Gartner noted that Cloud computing was fraught with security risks and they highly suggested getting a security assessment from a neutral third-party before committing to a cloud vendor. The reason for this was Cloud computing had “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.” (1)

Examples of cloud computing, which Gartner defined as a type of computing in which “massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies (1)” were Amazon’s EC2 service and Google’s Google App Engine.

To verify that service and control processes were functioning as intended, and that vendors could identify unanticipated vulnerabilities, Cloud customers needed to demand…

transparency
avoid vendors that refuse to provide detailed information on security programs
verify qualifications of policy makers, architects, coders, and operators
risk-control processes and technical mechanisms
verify and control the level of testing

For 2008, Gartner provided these 7 specific security issues that customers should raise with vendors before selecting a cloud vendor (2)…

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.

3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.

5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner says.

In part 2 of this installment, we will see what Gartner says today — and what has changed — for better, for worse, and what is new. In part 3 and final installment, We will also provide our own analysis. With all the installments, we invite your feedback.

From the Gartner article in 2008, what do you see as improved? needs more work? What opportunities do you see from their 7 points noted above? Please share with us, we would love to know!

with credit to…
(1) June 2008 Gartner, “Assessing the Security Risks of Cloud Computing.”
(2) Inforworld: Gartner: Seven Cloud computing Security Risks by Jon Brodkin | Network World
image credits to the hris world

Short URL: http://su.pr/1m9vR8

About Garrett O'Brien

With 20+ years in roles including client executive sponsor, project management, as well as functional and technical lead, Garrett O'Brien is sought for his expertise in both the USA and Brazil. His background is extensive in implementing multi-product, multi-line HRIS environments.

Currently, Garrett works from his home office near São Paulo, Brazil as well as operates The HRIS World publishing and writing from there. His previous clients include ADP, Case New Holland, Cushman & Wakefield, Honeywell International, Lubrizol, MAHLE, Sodexho USA, and many others.

Garrett’s current roles involve…

• CEO for CGServices USA / CGServicos Brasil -- focusing on multi-provider, multi-line system for HRIS systems

• Publisher, writer, and owner of 2 leading HRIS system and career blogs which are read in 50+ countries

• Registered partner with Microsoft, providing the latest developments on the newest technologies from Microsoft

• Council and EducationMember of Gerson Lehrman Group Council, which helps institutions of the world leaders meet, engage and manage experts across a wide range of sectors and disciplines. Garrett focuses on global HRIS and international e-commerce

Garret is always working on a couple of projects. Currently, he is focusing on the improvements needed in project management, especially the earliest phases. Another focus is on building the awareness of Brazil’s prominence in the IT world, especially in outsourcing.

Feel free to contact him directly on
• LinkedIn : Profile in English or Portuguese
• Facebook : The HRIS World fb The HRIS Career World fb
• twitter: @thehrisworld @hriscareerworld
• e-mail : g.obrien@cgervices.com
• IM : Skype - cgs-usa // MSN cgs-brasil [hotmail]

0 Comments

Trackbacks/Pingbacks

What is The Achilles Heel for Cloud Security? | the hris world - [...] articles focused on the development of cloud security since 2008. The first article — “What Have We Learned About ...

What are your thoughts? Let us know! Cancel reply

You must be logged in to post a comment.

Before registering with us, please see our privacy policy, we maintain all your information in confidence.

Some of Our Other Services, Just for You...

For the latest video briefs, check out our playlists on our YouTube channel...

ADP : Cloud Computing : Brazil IT : Brazil IT-BPO : Intel : IHRIM : Kenexa : Kronos : OpenText
PeopleSoft : SAP : SHRM : Success Magazine : Taleo : TechnoFunc

You will find our Microsoft and Microsoft Office YouTube video playlists helpful with your learning...

Microsoft : Office 2010 : Access 2010 : Excel 2010 : Lync 2010 : OneNote 2010 : Outlook 2010
PowerPoint 2010 : Publisher 2010 : SharePoint Workspace 2010 : Web Apps 2010
Word 2010 : Project 2010 : Visio 2010 : Windows phone

See Our YouTube Channel Now!

Remember: you can quickly bookmark anything on the web by pressing <Ctrl-D> on your keyboard.

The HRIS World Press Releases

The first 10 selections are news videos, followed by 30 of the latest press releases...

Cloud Collaboration Platform...

Collaborate Intelligently! The HRIS World highly recommends Huddle as it is the world's leading enterprise cloud-based collaboration platform. Huddle is used by more than 100,000 business and government organizations worldwide, including AKQA, HTC, and Kia Motors, to securely store, share and collaborate on content with people inside and outside of their organization. Huddle is a secure place to work and connect online.

Huddle's mobility is paramount as it can be accessed online, on desktops via Microsoft Office applications and on the move with BlackBerry, iPhone and iPad apps. Huddle mobility is currently available in 15 languages.

Click here to find out more!

Who We Follow...

Forrester Research : Pragmatic advice to global leaders in business and technology, the only company that creates forward-thinking research specifically for your role in the organization.

Gartner Research : Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company.

TI Especlialistas Brasil : One of the top technical and project management blogs in Brasil... viewed by more than 25,000 every month. Our own Garrett O'Brien contributes here often.

[it] decisions : Mark Hillary's blog on the latest developments in the Brazilian IT industry...

HR.com ERP/HRIS : HR.com helps you stay current and connected! As the largest social network and online community with more than 200,000 HR professionals, HR.com connects HR professionals and suppliers with easy access to shared knowledge on best practices, industry news, webcasts, and online certification to help them develop their most important asset – the people. Meet, network, share and learn.

HR Tech Europe : Europe's most important network on how software, systems and collaborative tools are bringing about surmountable change in the way organisation’s work.

HRN Europe : Pan European HR Network & Forum - HRN Europe is interested in building a picture of what the future of work will bring and how transformational global organisations are best prepared to succeed. Their value proposition has been to offer quality over quantity. The Pan European HR Network connect the dots by involving senior-most executives in live research and events to help promote Collaborative Discovery, Deliberate Practice, Personal Proficiency, and Social Responsibility.

International HR Forum : the single source for International Human Resources information... International HR Forum is a Blog about all issues related to international HR. The authors represent 9 organizations who have joined together to share their expertise in matters such as expatriate and local national compensation, benefits, expatriate taxation, cultural adjustment and EAPs, international schooling, and more.

International HR Information Management (IHRIM) : A dynamic group of practitioners, vendors, consultants, students, and faculty that continues to grow in numbers, scope of knowledge, and information.

Jason Averbook, Knowledge Infusion : Knowledge Infusion is a different type of consulting organization. KI isn’t a giant firm looking to staff consultants for years, or a technology-centric firm doing strategy to feed an implementation business. KI simply wants the best for their clients and to create lifelong partnerships with those they work with. KI wants to infuse knowledge to help their clients become leaders in their industry, and make a difference in their own organization.

Josh Bersin, Bersin & Associates : Josh Bersin is President and CEO of Bersin & Associates, a leading research and advisory services firm in enterprise learning and talent management.

Naomi Bloom, In Full Bloom : Leading independent voice/strategy consultant/thought leader in HR technology/HRO as Managing Partner at Bloom & Wallace

Yvette Cameron, NextGenInsights : This site is focused on next generation people processes and technologies and those driving the transformation of the HR organization.

Paul Hamerman, Forrester : VP and Principal Analyst, Enterprise Apps, at Forrester Research

James Holincheck, Gartner : Jim Holincheck is a managing VP in Gartner Research, where he manages the team that covers finance, human capital management (HCM) and procurement. He specializes in the HCM systems market. In this role, he helps provide a bridge between technology and human capital processes, practices and strategies.

Alexia (Lexy) Martin, CedarCrestone : As director, research and analytics at CedarCrestone, Lexy Martin is responsible for its annual HR Systems Survey, now in its 15th year. When not working on the survey, she provides strategy, business case, and metrics and analytics services, along with deep dive benchmarking in all industries. Working with many of the leading HCM vendors, she has helped develop their value propositions and conducted numerous surveys of their customer bases. Lexy is also managing editor for the IHRIM Workforce Solutions Review. A sought-after thought-leader and speaker, few researchers in the field of HR technology can match the experience that Lexy has accumulated during her career in introducing emerging technologies. From the pioneering days of introducing office automation and PCs in the early 80s, groupware in the late 80s, self service in the early 90s, and to continuing technology introduction this decade, Lexy is a consistent contributor to the industry's continuing evolution.

Mark Smith, Ventana Research : As an industry veteran with more than 22 years of experience, Mark is responsible for the overall direction of Ventana Research and drives the global research agenda covering both business and technology areas. He defined the blueprint for Information Management and Performance Management as the linking together of people, processes, information and technology across organizations to drive effective results. Mark is an expert in technology for business from Performance Management, Business Intelligence, Analytics to Information Management across finance, operations and IT. Mark has held CMO, product development and research roles at companies such as SAP, META Group, Oracle and IRI Software. He has experience across major industries including banking, consumer products, food and beverage, insurance, manufacturing, pharmaceutical and retail and consumer services.

Chequed.com : Chequed.com is executing on their mission of putting the right person in the right job, right now by revolutionizing candidate screening through delivering a industry leading, web based platform for confidential, fast and Predictive Employee Performance™ Suite that’s comprehensive with both reference checking and behavioral assessment.

SHRM Technology : A globally recognized authority whose voice is heard on the most pressing people management issues of the day.

HRcomparison (UK) : HRcomparison is the smart way for professionals to select the HR, Payroll, and Time and Attendance solutions that will really work for them. Save time and money by using HRcomparison to narrow your search to clearly-identified HRIS software solutions.

CompareHRIS.com (USA) : CompareHRIS.com puts you, the HR Professional, in touch with HRIS systems and HRMS software vendors offering the HR software that most closely matches your requirements. Whether you’re looking for straightforward HR Software, a complete HRIS or HRMS, CompareHRIS.com can help you find exactly what you need.

Software Advice : A privately held, internally funded company founded in 2005. They have helped 56,251 software buyers and work with 499 software vendors.

HR Professionals : Rosarrio Longo is an HR Manager with an Insurance Company in Milan, Italy. CIPD Part-qualified and Licentiate Member. Chartered Management Institute Associate Member (ACMI). His background is in Management and teaching Law, Economics, Marketing and Communication.