it doesn't really fit the usage of the term, but you're already in the cloud today. your credit card info resides on many different corporate networks. so does your ssn, and your mothers maiden name, and everything about you that allows you to validate and authenticate yourself w/ all of the entities you interact w/ on a day-to-day basis. all of this information is beyond your ability to protect.
so as "the cloud" gets buzzier and buzzier, it makes sense to examine it. don't freak on me and start doing the "nonono, it's a bad security thing, get it away!!!" don't try to stop it, b/c it will flow right around you (and your tower ;) and pass you by.
business and user communities generally don't consult security peeps until the enemies are at the gate, or a shot has already been fired (and probably found a target).
it is frustrating that we have to jump up and down screaming to get noticed sometimes, but in a way the business is practicing risk management by not implementing everything we sec-folk dream up. sometimes it is really tough to accept unmitigated risks that exist within the environments we are charged with protecting, but sometimes we need to act more like actuaries studying mortality tables. when you're looking at your org, you should spend some time looking at risk at 10k meters.
we place faith and trust in many places which can be exploited today, but we feel reasonably safe. can you say that your data is less secure in the cloud than it is on your local lan? really? cause i've seen a fair number of local lans, and nearly all that i've seen have higher exposure to internal threats and dedicated external attackers than i feel comfortable with.
(some) cloud companies are going to design (some) security into their models, and it might be better than what you have today. w/ all your un-audited server shares with default 'everyone' read permissions all over the place, and mobile machines traversing between your lan and hostile networks.
some cloud companies are going to make mistakes and get owned. some data will be disclosed. some cloud companies will learn, and some of those will improve.
i heard once that the us navy seals emphasize the phrase 'it pays to be first' during BUD/S hell-week. well, sometimes it doesn't pay to be first. i remember reading a story about a soldier in bosnia during the initial deployment in the 90s. he was manning a turret in a convoy, and a rock was thrown up from the vehicle in front of him, and he was killed. doing high-speed convoys on rock roads was a new thing for that unit, and there was an unforeseen risk. that really sucks. later convoys implemented counter-measures (drive slower, protect the turret from thrown rocks, etc) to adapt to the risk.
it hurts to be the first guy when you're faced with unidentified risks. but you can't be so afraid you don't operate. so when you're out there, try to be like spike:
It's not about strength or power - you gotta be fluid ... Water can take any form. It drifts without effort one moment then pounds down in a torrent the very next
if your org starts using the cloud, and you perceive that the risks you face are increasing, develop controls and procedures to mitigate the best you can, and roll with it ;)
No comments:
Post a Comment