This page contains a Flash digital edition of a book.
COMPLIANCE & REGULATION

Next up for discussion was the role of compliance and regulation in securing the cloud. Akif said that companies need to be able to tell their customers that

they

comply with security standards. “I think it helps an organization,” he said, adding out that cloud computing can make the process easier for them. “A component of compliance is being outsourced to the or- ganization hosting their

infrastructure.

Fred Carter, serves the Ontario Infor- mation and Privacy Commissioner (IPC) in a variety of demanding roles as senior policy and technology advisor. His primary responsibilities involve providing strategic research, informa- tion, and advisory services to the IPC Commissioners on a wide range of technology and privacy policy issues. He contributed to recent IPC publica- tions on identity theft, identity man- agement, radio frequency identification (RFID), biometric encryption, cloud computing, and the impacts of “Web 2.0” technologies and services on gov- ernments. Prior to joining the IPC, Mr. Carter worked for the Privacy Com- missioner of Canada, Zero-Knowledge Systems, and the Standards Council of Canada in similar policy capacities.

With any data, attacks are inevitable.

Wherever there is multi-tenant data in one place, said O’Higgins, people will be after it, and it will be compromised. The threats are still the same in the cloud, but countermeasures change dramatically because there are a lot of changes in in- frastructure. The biggest change in tools is the use of virtualization. People have to comprehend how their cloud vendor handles it. Weigelt agreed. “You have to under- stand the data and understand your busi- ness well, and understand the expectations of the community. The defence in depth principle still applies. Customers have to remain vigilant.” Added Carter, “Going through the cloud is just an extension of outsourcing – it’s a different set of issues, but it’s fundamen- tally the same.” There must be assurances wherever possible that information is being used appropriately.

20 SECURITY MATTERS • MAY/JUNE 2010

Most organizations see that as a positive.” In fact, he pointed out, the recent Microsoft Security Intelligence Report showed that 50 per cent of data loss oc- curs as a result of lost or stolen equipment, and less than 20 per cent because of hacking. A cloud provider, he said, may be able to offer better physical security. Shiau added that we want to give indi-

with issues of jurisdiction, for example, Mi- crosoft is suggesting a worldwide context for the cloud.

O’Higgins believes that this is an op-

portunity for Canada to be a world leader, and pointed out, “Being secure makes it easier to be compliant.” Carter added that although privacy laws

in Canada don’t say a lot about security, there’s a lot of flexibility for privacy com- missioners when they come in when some- thing goes wrong to look to see if there’s compliance with industry standards. “It’s not force of law, but it carries a lot of weight in legal proceedings,” he said.

Data classification is one area in which most companies lag, according to Akif. Even in relatively secure organizations, it is not used; the problem is that it must be done by the business, not by IT. It is hard to assess risk with unclassified data.

vidual users awareness of how their data will be used. “How can they make in- formed choices unless the information coming to them is transparent?” he asked. That, he said, is where regulatory compli- ance comes in. However, Weigelt said, “Compliance has to be the first step to entry, but is not the minimum step.” Some existing rules don’t apply well to cloud, he explained. Regulations built for one era of computing may actually detract from this new era, and the community is working together to resolve some of those challenges. To deal

Another hazard, according to O’Hig- gins, is that the virtual infrastructure un- derneath has generated big changes in how security is implemented. Companies can spin up an image instantly, and its patching may be out of date, creating an instant vulnerability. He advised, “Make sure your security products line up with the virtual infrastructure.” It’s often overlooked that a lot of existing standards are being brought into the cloud, Weigelt added. “We’re not starting from scratch, but we are challenged when we start working in the new environment Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42
Produced with Yudu - www.yudu.com