Risky Business #143 -- Cloud computing and the history of electricity
Fri, 03/12/2010 - 16:40
On this week's show we're having an extended chat with our good mate Greg Shipley.
Greg's best known as the CTO of Chicago-based information security consultancy Neohapsis, and he'll be joining us to talk about what was on the agenda at the RSA conference. Apparently it's cloud, cloud, cloud... but what does that actually mean, mean, mean? Greg will be along soon to discuss, he's always good.
Tue, 03/23/2010 - 11:40
#2
This is core to the
This is core to the conversation we were having. We need to work out which standards should be adopted and how they should be applied.
The food safety officer of Equatorial Guinea has certified this post.
Wed, 03/24/2010 - 12:13
#3
Frustrating and time consuming
I hate the security questionnaires so much. Every one of them is sufficiently different so as to require a unique answer. My platform’s security hasn’t changed, but the way I’m required to describe it is always completely different from last time. Its very time consuming.
I get that they need to know, I just wish they were all reading from the same "Security Questions for Dummies" website.
You discussed at length the problem of cloud providers being asked to complete different security questionnaires on behalf of each client. This is obviously untenable. Apart from the duplication of work, what if different clients require conflicting controls, or a client demands controls that are inappropriate to the risk? What if one client demands a very strong and onerous password policy but only average physical controls, and another demands the reverse? They might be equally valid approaches to mitigating the risk, but you could end up with an impossible environment and everyone finding insecure workarounds to get the job done.
So has no one out there heard of ISO27001? The whole idea of the standard is that a client or business partner can have confidence that a certified service provider is doing the right thing, at least to a certain level. And regular internal and external surveillance audits will be mandated by the certification authority to ensure they’re still doing the right thing. If a client wants more detail, he can ask to see the Statement of Applicability, which says which controls have been implemented, and if not, why not. And if that isn't sufficient for a potential cloud customer, I'd suggest he probably shouldn't be considering cloud in the first place, and really ought to keep his risk in-house.
The standard argument against this approach is that it's easy to tick the boxes and still screw it up, because you didn't engage the brain. (“Yes, of course we’ve got a firewall. It’s in that cardboard box in the corner!”) This can be true of PCI-DSS, but ISO27001 demands that you attempt to measure risk, and apply controls commensurate with the risks that you've identified, as part of a holistic Information Security Management System. In other words, you can't get ISO27001-certified without a brain. As a potential client, you might also want to look at who issued the certificate. In theory, ISO27001 is ISO27001, but in practice you might give it more credence if it was issued by a major institution such as the British Standards Institute rather than the food safety officer of a banana republic.
When it was still BS7799 there was an excuse. But not now it’s been ratified as ISO27001.