Greg Shipley,* CTO of Neohapsis, wrote an article in Information Week magazine about cloud computing risks, making the following points:
1) One company discovered it was using Amazon’s cloud services when employees tried to expense the bills. It’s 10 o’clock; do you know where your clouds are?
2) Since high-tech, bright-minded Google has been the target of successful attacks, “how safe could…data possible be anywhere?”
3) Do cloud providers have the security controls in place to mitigate the risk associated with their clients’ data?
4) “Most cloud providers don’t have ‘transparency’ as part of their vocabulary” when it comes to security and compliance controls. Shipley insists clients get more information from cloud providers on the following:
- Quality assurance processes
- Financial health
- Dependence on other suppliers
5) Determining which security controls are required and verifying that a cloud provider has them in place are two separate challenges.
6) SAS 70 audits are of questionable value, are not standards-based like Generally Accepted Accounting Principles, and are too often based on outdated controls.
7) A standard model, such as the one being developed by the Cloud Security Alliance, is needed to “request, gather, and compare cloud provider letters of attestation, third-party reports, and control objectives.”
8) Whether a standard model will be adopted by cloud providers is questionable; lip service is likely.
Read the entire article here.
*I recommend reading anything Shipley writes; he’s that interesting. I had the pleasure of meeting him once at a conference, but that’s a post for another day. We had a good debate.
Another cloud computing post – Ready for Cloud Computing?
One response to “Shipley on Cloud Computing Risks”
This article was well written and informative. As IT auditors at Continental Audit Services, we try to identify specific IT risks as accurately as possible. This article gives some valuable information on specific risks in cloud computing e.g. lost media, cyberthreats, data loss. Some related controls are also discussed with a focus on the SAS70. We’re happy to see that this topic is now on the radar screen.