Cloud Information Assurance must address the whole risk picture

Seeing the Whole Risk Picture

PWC Risk assurance partner Dean Simone.

Prepare for what’s around the corner.

Anticipate and deal with risks that are unknown.

How can we build trust in the cloud to drive business growth?

Extract from a report co-authored by Jan Schreuder PWC Partner

“When adopting Cloud Services PWC clients often ask:

  • What are the risks associated with Cloud Computing and how do we manage them?
  • How will cloud computing impact our regulatory and compliance requirements?
  • How do we maintain control and oversight over the cloud environment?
  • Is moving to a cloud computing environment cost effective?
  • How will cloud computing impact on business continuity and disaster recovery planning?

PWC Cloud Assurance can help clients:

  • Assess and manage the technical, operational, financial, legal, regulatory, tax risks and opportunities associated with cloud adoption.
  • Design and review the project framework to transition services to the cloud.
  • Analyse the business case and costs to ensure business benefits are realistic and achievable.
  • Design and review security and controls before, during, and after the move to the cloud.
  • Design and review business continuity and disaster recovery procedures for cloud services.
  • Provide third party assurance over cloud service providers’ control environment.”

Information Assurance in the Cloud

Alan Calder, CEO of IT Governance Ltd

Three minutes into this video clip Alan looks at risk in the cloud.

03:39 One way of looking at Risk in the Cloud is to look at where risk ownership lives.

03:55 – where Security and Compliance is concerned there is balance with responsibility shared between the Cloud Service Provider and the User.  Risk however is all with the user of the Cloud service.

Nature of the cloud is that you can take and use what you want to but it is your risk your information, your business,  your service.

04:40 – Trust Boundaries in the Cloud shift depending on usage, e.g. IaaS or SaaS

09:15 – Cloud Controls Matrix

LINK to download the Cloud Security Alliance – Cloud Controls Matrix

11:45 Understand Cloud Security

Steve Wozniak, interviewed by a French press agency earlier this week, confessed to the audience that he worries about the insecurity of Apple’s famed iCloud.

“I really worry about everything going to the cloud,” said Wozniak. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”

iCloud essentially acts a remote server responsible for synching computing devices. In other words, if a user sends information to one cloud-connected device, the cloud will intercept the information and send it to every other device connected to the cloud space.

“With the cloud, you don’t own anything. You already signed it away,” said Wozniak. “The more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”

Matt Honan – How Apple and Amazon Security Flaws Led to My Epic Hacking

“My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” LINK to Wired article.

Steve Wozniak and Matt Honan have both spoken out about the risk to Cloud Service users losing their content stored in the cloud.  Security Controls require strengthening to protect access to cloud based personal information.

Alan Calder mentioned that SAS 70 has been replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.

In addition, Joe Panettieri has written about how SSAE 16 Audits Gain Momentum With Cloud Data Center Providers  LINK

Cloud Service Providers are also keen to achieve accreditation to SSAE 16. One example is a cloud data security company CloudLock who completed their SSAE 16 SOC 1 Audit in May.

Cloud Information Assurance for me is applying the Cloud Controls Matrix to build the end-to-end service model that differentiates between who has ownership for service assets.

It is also about having clear Trust Boundaries in the cloud with crystal clear commercial and contractual responsibilities for service risk .

The Cloud Computing Model with Hyper Hybrid [Connected] Clouds, Cloud Service Providers, Cloud Service Brokers and Cloud Service Users is still in its infancy.  

As such nobody in the end-to-end service chain has an understanding of the whole risk picture but the colour palette is emerging.


1 Comment

Filed under Business

One response to “Cloud Information Assurance must address the whole risk picture

  1. I’m not so worried about the cloud for the simple fact that whatever we try to hide or keep safe, somebody is always thinking of a way to get it and break into a system of one kind of another. If it happens, it happens.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s