We all know them almost by heart, PCI, SAS-70, HIPPA, SOX, and the ton
of federal, state and business driven rules and regulations that
companies and security engineers need to keep up with. In a rational
and impassioned blog entry, Rational Survivability asks if regulators
are keeping up with changes in the Cloud Computing environment.
My belief is that given what I have seen in how people adapt to
change, the answer to this question is no, unless there is a compelling
reason to keep up with the latest technology.
Auditors like Deloitte and Ernst and Young have a reason to keep up
with advances in cloud computing, they know that they will be walking
into cloud computing environments around the world when they are doing
their audits for the companies that they are doing consulting for. They
also know that they will be looking to see how the company’s current
controls, standards and practices have been extended into the cloud
environment to support audit regulations and legal rules. Unfortunately
this means that people will be spending significant hours learning
about Cloud Computing Security.
What makes Rational Survivability’s article interesting are the
last two paragraphs – they point out that there are things that the
individual within a company can reasonably do to stave off a failing
mark from an auditor because the controls used by a company didn’t
extend into the cloud. (There is software to do this now, but it is
very expensive and a hard sell at times to management).
There are TONS of things one can do in order to make
up for the shortcomings of Cloud security today. The problem is, most
of them erode the benefits of Cloud: agility, flexibility, cost
savings, and dynamism. We need to make the business aware of these
tradeoffs as well as our auditors because we’re stuck. We need the
regulators and examiners to keep pace with technology — as painful as
that might be in the short term — to guarantee our success in the long
term. Source: Rational Survivability
Technologists sometimes forget that it is the business and the
needs of business that drive cultural change within a company. Normally
there is one early adopter that tries to push an agenda for shiny new
technology within a company. These early adopters do not always come
from inside the IT Shop at work; rather they can come from all corners
of the organization. Cloud computing with the realizable cost savings
as well as rapid prototyping of projects, software, or services is a
major disruption to the organization. Not just the IT Shop and how it
runs, but to the security group, and to the management groups that are
in charge of helping the business make money.
Cloud Computing disrupts many current business processes, including
territorial and managerial groups. It is no surprise that many groups
within a company are looking at cloud computing and wondering how to
take advantage of it. The good part is that cloud computing if done
right is simply an extension of any other “remote site” you might have,
and this includes extending controls, policies, and access to those
remote sites. The only real question is, are companies doing this yet,
or are we still wondering exactly how to do this.
The next question is what are regulators up to?
(Cross-posted @IT Toolbox)