Tag: security

Posted on

Cloud IT: Hiding Complexity and Risk

jmbunnyfeet

Cloud IT: Hiding Complexity and Risk

Cloud computing and Internet technologies have delivered previously unimagined capability for even the smallest of businesses – capability to compete, build brand recognition, and reach markets in remote geographies.  The mantra for businesses used to be “location, location, location”, but it’s become connectivity – perhaps even more than location – which now delivers business opportunity.  As technology has evolved, allowing businesses and consumers to connect regardless of time or place, the complexity of the systems and networks have also increased dramatically.  Where a business could once easily identify their various vendors or business service providers, the identification of those involved in the service ‘delivery chain’ are no longer so easily recognized.   Among the benefits of cloud computing technologies is the ability to reach beyond traditional boundaries.  The risk for many businesses is in not fully understanding how, and with whom, those boundaries are being crossed.

For many an enterprise, the convenience and efficiency introduced with cloud computing models overshadows the increased risk potential.  Service level agreements and vendor contracts are assumed to be sufficient to protect the business and its information assets, yet recent events (such as the recent reveals of PRISM and the actions of the National Security Agency) should cause businesses to look a little deeper at their entire provider network.  It’s not that the average business should be concerned about government snooping of their emails, but they should be aware of who has access to their systems and data, and which entities are responsible for which parts of the system.  It’s only prudent to know the details, and it is the best first step to mitigate business risk.

Enterprise Clouds are complex, sophisticated entities which invariably rely on a daisy-chain of third parties and contractors to help build, run and maintain their Cloud provider’s systems. The organizational and technical complexities are additive, resulting in increased systemic risk. Systemic risk is the least visible and hardest to eliminate, and those risks become real when the providers’ systemic risks become [yours].

The question is, how well does your Cloud provider manage the ecosystem of contractors and third parties that are farther down the food chain? This is even more relevant in the globalized workforce, where, paradoxically, Cloud and related technologies have greatly facilitated the outsourcing and offshoring of work to low-cost countrieshttp://www3.cfo.com/article/2013/6/data-security_prism-national-security-agency-edward-snowden-cloud-implications-vendor-management

Before executing a service agreement with an outsourced provider, make certain that the details of facility, connectivity, network, equipment, and other elements of the delivery and system are spelled out.  Business subscribers should know where the various points of failure exist, and which company is responsible for dealing with each.  If a carrier fails and connectivity to the data center is lost, the hosting service provider may be powerless to impact the situation, even though access to service is part of the SLA and requirement.  If a hosted software product has a vulnerability or fails to perform, the developer of the product is likely responsible, rather than a hosting service provider.  The point is that there are often multiple players in the delivery chain, and customers should be aware of this reality prior to engaging with the service.

Ultimately, the business with mission critical data in the possession of a 3rd party service provider should have a healthy helping of doubt as to whether the provider has full control over their environment.  Business owners, managers and CFOs should recognize the increased necessity of evaluating risk within their provider systems and in provider/vendor relationships, to keep trade secrets secret and prevent intellectual property from becoming the property of others.

Joanie Mann Bunny Feet

Make Sense?

J

Posted on

Preparing for Disasters of the Legal Kind

Preparing for Disasters of the Legal Kind

As businesses begin to realize the benefits of cloud computing and business data mobility, they may be overlooking one of the most important issues any enterprise can face: information management in the event of litigation.  While the IT department probably has a disaster recovery plan for handling various computer system failures, is there also a plan for managing system data and electronic information in the event of a “legal disaster”?  In the spotlight is e-discovery, which is the requirement of the business to respond to legal requests for electronically stored information, and the issues CIOs and business owners should be paying attention to as computing solutions and technology models continue to change at a rapid pace.

The popularity of BYOD (Bring Your Own Device), data sync solutions, and online collaboration tools has created an environment where business data may exist in various states (meaning as in conditions or status, not as in State, like California) and on a variety of devices and systems, some of which may not be in the direct control of internal IT.  Regardless of where or how the information was delivered to these devices and systems, CIOs and business owners should recognize that the information on those devices is included in discovery requests, and should be prepared with a plan for dealing with the response.

This “e-discovery plan” is the most important thing, and it means not only working through the various aspects of managing the information, but also providing consideration to keeping the plan updated.  As technology changes, and as user behavior changes along with it, businesses must adjust their IT management approaches in kind.  Consider that a user couldn’t store business data on their phone until the phone was able to handle that function.   Now that smartphones are the norm and tablet computers are gaining in popularity, business data is roaming on personal and business devices.  These advancements may introduce productivity and process gains which provide an advantage to businesses, but they also introduce potential risk and certain complexity when it comes to e-discovery.

Litigation is always expensive, but sanctions for slow response or other costs can be avoided if the plan helps the business respond in a timely manner.  For this reason, the plan should include an identification of all sources for information (every location where business information and data is stored), as well as the steps to be taken to preserve this data in the current state.  If the business has systems which regularly purge information (like accounting systems which purge prior period details, email systems which automatically purge old emails, or backup systems which delete old backup files as new ones are made), all of these activities must be halted.  If the company doesn’t have access to control the various devices and systems to prevent these activities (or doesn’t know that they are happening), significant risk is introduced.  In the case of a legal “hold”, all data and metadata and the audit controls and files must be preserved.

The final steps in the plan are the steps to be taken after the litigation is over.  This is often times a forgotten part of the plan, which is the final destruction of the information gathered for discovery.  Not that the original data must be destroyed (consider ALL dependencies), but the “database” of collected information related to the litigation probably should be.  With this data pooled in a single place, it becomes a potentially valuable target for a data breach.  At minimum, the collected information could too-easily be pulled into an entirely new legal case.

IT managers, CIOs and business owners must be realistic about the information their enterprises generate and store, including being realistic about the risk potential that duplicated and mobile data represents.  It is not that the enterprise should be afraid of allowing mobility and providing remote access solutions, but it is essential that the enterprise control the use of these solutions and how they use or interact with business data.   Without a strictly enforced policy of usage and control for all devices, services and solutions “touching” business data, any legal disaster planning falls short.

Joanie Mann Bunny FeetMake Sense?

J

Read More:

Posted on

e-Discovery in the Cloud: Benefits versus Risks

e-Discovery in the Cloud: Benefits versus Risks

After many years of working with business professionals in “enabling” their organizations to make better use of technology, I must say that it is a bit frustrating trying to get folks to understand that this new and wonderful cloud computing model (or Internet-based computing, SaaS, or whatever-you-want-to-call-it computing) is still just technology.  It uses computers and disk drives, it runs software, it takes electricity, and it was developed by human beings.  It can break.   It’s not magical and perfect and you can’t get the good stuff for free.  Swim at your own risk.  So, assess the risks, and measure the benefits against the risks and costs.  For many, the benefits outweigh the risks, as cloud computing approaches can deliver advanced capabilities at cost levels not previously available to most businesses.

No industry is immune to the security and access considerations surrounding a cloud computing model.  Particular those lawyers involved in e-discovery (all of them) have recognizing the potential benefits – and tradeoffs – of the model.  This reality was clearly revealed at the ILTA (International Legal Technology Association) 2010 event in Las Vegas.  While the discussions at the conference were oriented specifically towards the legal profession, the IT-related discussions are totally relevant to every business.  Accounting and finance professionals should pay close attention to this type of conversation, as it relates very directly to accounting’s approach to information technology and the application of IT in the business or professional practice.

In a recap of the event entitled ILTA 2010 in Las Vegas: Strategic Unity, Defensibility, and the Cloud, author Chris Dale discussed that professionals in both public and corporate service must work with the IT departments towards a common goal.  “IT is no longer just a service department providing an infrastructure, applications, training, and troubleshooting.”  While these elements still remain as critical aspects of IT, the role has grown to also incorporate considerations for collaboration (collaborative information management), mobility, and social media.

Recounting one session attended, called Defensible Ediscovery Processes, the author related the variety of definitions provided to the general term” defensible”, which were pretty amusing.  These definitions ranged from protected against attack, to less lousy practices or practices which suck the least” (my personal favorite), and finally, what you can get away with without being found guilty of spoliation.  From these definitions then came qualifiers, such as “reasonableness” and “faith”.

Why would defensible processes be important, and how does this relate to IT or cloud computing?  An example of the element of “faith” came up in this context: ” how can [lawyers] have faith that the technology is delivering the right answers?”  A panelist gave the sample of “an email retrieved from (or possibly not retrieved from [love those lawyers]) a system, with 26.5 pages missing.  How can you be sure that the systems which you are using will not do that to you?”  These are valid questions in any IT environment, and are no less important when considering a cloud-based technology model.   The trade-offs are related to perfection in functionality and performance of the solution versus cost, and should be measured in proportion to one another.

The tradeoffs may come in a variety of areas, with collaboration and connectivity being the primary drivers (collaboration) and barriers (connectivity) to the model.  Businesses are more than ready to adopt cloud computing strategies based on the belief in improved collaboration, access to information, and improved IT management,  but tend to overlook the offsets in the areas of bandwidth availability (and consistency), application functionality (or lack thereof), and level of support available from the provider.  In support of this argument,  Jerry Justice (IT Director for SS&G – Certified Public Accountants and Advisers) posted in a LinkedIn discussion on the topic that “by design the Internet is ‘reasonably’ connected, but not the same as a well-connected [local] network.  the upside is it gives you the ability to connect from great distances, the tradeoff is that you experience variable connectivity.”

The underlying issues are that there is a paradigm shift to working on the Internet (from working in the office) and then another shift when you add in cloud-based environments (versus local apps).  It is possible to be very productive, but .. you have to adapt your approaches“.

The idea “that perfect must be qualified by cost and proportionality” was also discussed in an ILTA session on cloud computing which included panelists from Autonomy iManage, Mayer Brown, and Ernst & Young.  “Cloud computing remains a contentious area, with no obvious agreement even as to what the term means, let alone as to its implications” wrote Mr Dale in his recap of the event.  While the panelists held differing views, the representative from Mayer Brown held a position similar to Mr Dale, in that it is important to “dissect the objections one at a time, accepting that there is room for more than one view, and testing arguments against the alternatives.  Arguments based on pure cost are pretty compelling, and if one method of achieving an objective is very much cheaper than the others, then the burden shifts to those who argue for the more expensive route.”

Discussions went on to describe differences between public cloud providers and others, who segregate customer data in “private and identifiable silos”.  “The key word here is identifiable“, writes the author, “which connotes a geographical certainty as well as anything else.  I sometimes wonder if the imagery associated with cloud computing (invariably a jagged line disappearing into some cumulus) does not leave some people with the idea that their precious data is indeed floating in some inchoate container up in the air.”

If you neglect to provide in your contract that your data remains in a specified jurisdiction, and if you fail to conduct proper due diligence checks on the provider, then you deserve all you get.  Like any risk assessment, it involves weighing cost against other factors; most of these other factors are definable and quantifiable“.

I couldn’t have said it better myself.

Joanie Mann Bunny FeetJ

original post March 24, 2011
Posted on

Mobility and the Cloud – Managing “Bring Your Own Device” and Securing Company Resources

There are lots of reasons why businesses are adopting cloud and Internet technologies in great number, and supporting mobile workers is one of the big ones.  In order for traveling sales people or workers in remote offices to have access to business applications and data, many organizations are turning to hosted and cloud solutions to centralize systems and make enterprise-wide access easier to deliver and manage.

What many businesses are just now realizing, however, is that allowing individuals to use their own mobile devices to access corporate data is exposing the enterprise to new (and often unknown) risk with each and every device and app that gets used.

Most businesses recognize the need to secure corporate systems while allowing users to remotely access resources from home or mobile computers.

Many CIOs and IT managers are failing to address the vulnerabilities introduced through the proliferation of tablets and smartphones in the business. Some enterprises initially embraced the concept of “bring your own device” [BYOD], as it tended to encourage users to work from home or while on the road, increasing employee productivity and keeping workers more “attached” to their jobs – all without the business having to pay for the device.

With growing numbers of reported “rogue apps” and apps that secretly collect and pass data, the potential benefits of allowing workers to use their own devices is rapidly being overshadowed by the risks involved.

Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users’ address books. …but what if the app uploads a sales representatives’ contact list and the developer then sells it to a competitor? That’s a new type of data leakage that most organizations aren’t ready for.

http://www.cio.com/article/716368/Free_Mobile_Apps_Put_Your_BYOD_Strategies_at_Risk  

Phones, in particular, have not traditionally been viewed by most business owners as a primary platform for information theft or damage – other than when an employee uses one to tell someone something they shouldn’t.  But in terms of intrusion, data theft, application hacking and things like that… not so much.

But that was before phones got really smart.

Phones that most folks carry around now are actually computers with a great deal of processing and storage capacity, and as such are just as capable of running bad programs and being vulnerable to attack as their more obvious portable computer counterparts.  Perhaps they are even more vulnerable because of the “connected” nature of the device, because by its very nature it is geared towards communication of information, not just processing it.

It’s not that hackers and developers of exploits (or just bad code) are necessarily focusing on stealing your business data (well, OK, a lot of them are).  Maybe someone just got lucky one day, when they first realized that the employee phone was the “camel’s nose under the tent” which would get them inside, far enough to deliver access to confidential corporate information and data someone would pay for.  People tend to be the weakest element in the security chain, and exploiting vulnerabilities under the guise of “making things easier” for the user has been a highly successful approach (would you like to sign in with your Facebook account?).

..because attacks that target employees may well end up targeting the employer as well, even if the employer wasn’t the original target.

Whether it is intentional or not, the risk is very present, and every business and enterprise has a responsibility to recognize the vulnerabilities introduced with mobile device use and to do what it can to mitigate that risk.  It is also important to recognize that the risk is not a purely personal one, either.

Since the information held by most businesses also includes the information of others – customers, vendors, partners, etc. – it is essential that the business not expose itself to unnecessary problems (litigation, fines or penalties, or simply lost opportunity) caused by accidental leakage of confidential information belonging to 3rd parties.

For some businesses, the best answer may be to only allow use of devices the business provides, along with clearly written use policies and guidelines.  This approach allows the organization to determine which applications may be installed and to dictate how the device is to be used for business needs.

There are even solutions available which can assist businesses in managing the expenses related to mobile devices in the enterprise, addressing not only security and privacy concerns but also helping to optimize expenditures on mobile devices by monitoring contracts and usage, identifying underused agreements or overage charges, or even identifying contracts still in force which should have been cancelled.

For many businesses, however, allowing users to continue accessing business resources with their personal devices may be desirable for a variety of reasons, cost being only one of them.  If this is the case (as it is most often in small and growing businesses), it is important to make certain that users understand what is and is not appropriate device use, and to inform users on the policies relating to apps which may or may not be allowed and why.

Make sense?

J

Posted on

Compliance in the Cloud – Their System; Your Responsibility

Can you outsource compliance to the cloud?

Outsourcing IT to a cloud service provider can be tremendously beneficial for a business.  The model allows an organization to offload not just IT infrastructure costs, but also the costs associated with developing and maintaining all of the practices and processes involved in managing and maintaining the infrastructure and systems.   There is tremendous responsibility in handling everything from platforms and infrastructure to creating best practices for maintenance, management of scalability and growth, forecasting bandwidth requirements, implementing and monitoring security compliance, creating effective and comprehensive disaster recovery plans, and more.

The question which begs to be asked is whether or not HIPAA, PCI/DSS or any other compliance requirements, and the complexities, risk and legalities that come along with them, can also be outsourced to the CSP. For that matter, can any real level of responsibility be fully outsourced, where the liability for non-performance or noncompliance is also fully shifted?

Ummm. No. It is still your problem.

What too many companies really don’t understand is that they aren’t eliminating risk by moving to the cloud, and the requirement to meet various compliance requirements really can’t be outsourced. Particularly in this area, businesses need to recognize that outsourcing certain functions doesn’t reduce or eliminate responsibility or liability.  Just the converse, it could make things a bit more difficult if you don’t keep close tabs on how the provider implements and is involved with your solution. Even beyond that, what is the impact to the business operation when requirements are not met?  Cost recovery from the provider may be one option, but how does that help the business remain operating in the meantime?

Gramm-Leach-Bliley (GLB) Act  Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third-party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX)  Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.”

source: CIO.com

This discussion Isn’t limited just to compliance with regulations (at least it shouldn’t be)

In this conversation we need to also address what a business should do in terms of protecting and preserving its information assets (data!) even beyond what the CSP offers. Keeping confidential and private information secure and protecting the data of the business (and clients or patients or other entities) is essential, even when the CSP fails in its obligations or abilities.  This aspect of disaster recovery and continuity planning is not often considered by the CSP yet remains critical to the business customer. The sales pitch, however, never really delves into this area, because it represents an aspect of service coverage that the provider simply can’t provide.

Illustrating this particularly difficult aspect of outsourcing to the cloud is the hard lesson learned by customers of a QuickBooks hosting provider who experienced a severe outage due to a ransomware attack. The hosting service provider promised customers it backed up their data and it did, but the backup archives were also compromised.  In order to restore service, customers were expected to have their own backups of the cloud-hosted data.

While there may have been items in the service agreement which address these issues, I can say – based on a great deal of experience in just this area – the service providers rarely make this point very clear to customers, and more frequently tell customers backing up their data is no longer something they need to really worry about. It’s like that really tiny type at the bottom of a contract that nobody notices until it is too late.

“..restoration proved more difficult in Texas. Lezama explained that for the Texas clients, the backups had been compromised as well, because their backup data had synchronized with corrupt files. But Cloudnine clients are obligated backup their own data as well, as a sort of third-level security measure..”

source: AccountingToday

With compliance in the cloud, it’s their system, but your responsibility.

Outsourcing IT to a cloud service provider in no way eliminates or reduces the obligations of the business to manage certain aspects of information systems and data.  What outsourcing can do is deliver a greater operational capacity and agility more affordably.

The responsibilities to establish information and systems management practices and processes remain firmly with the business, and actually represent a strategic component of the business that is unwise to outsource anyway. Resilience in a business and its ability to conform to regulatory and other requirements are the foundations of sustainability. Remember that cloud providers and services can be leveraged to improve certain cost and system performance metrics, but it remains solely with the business customer to find ways to reduce risk and create a greater assurance of continued operational capability.

Make Sense?

J