So cloud computing is one of the current buzzes going around. So the idea is that you move your content and have services delivered over the Intertubes. There are the obvious benefits for an organisation, scaleable on demand services, possible reductions in cost, and someone else takes care of all the headaches.
Lots of companies have been doing this for a while, such as the likes of Message Labs and their offering of mail filtering in the cloud, and it is a good efficient service. Now more and more people are jumping on the band wagon, offering storage and various other services. So this is all great right……..?
Well, maybe its just me, and maybe I am miss informed, but it gets me a little worried. So lets take our valuable, business critical information, and hand it over to another organisation offering services over the Internet. So I now have a few quid in my back pocket, and I am a happy chapppy.
Then something goes wrong, some crucial data goes missing, the link goes down, the nightmare could take many forms. Not a problem, you have backups, you have logs to review, your know appopriate access controls are in place. Well turns out, perhaps your business didnt carry out enough verification.
I think alot of companies offering these in the cloud services, may not have the robust controls we know and expect in the enterprise, and when you come to carry out your post incident investigation, you may find your investigation is seriously imparred.
This comes down to not really knowing where your data is stored, who is having access, whats backed-up and when, the list goes on. I guess I am just paranoid, and some may argue there isnt much difference this and standard outsourcing. The important thing is to ensure InfoSec is given due consideration, plan ahead as to how you would handle an event / incident, what resources you will need. Also consider where the data will be stored, where ownership sits, legal implications, compliance and regulatory issues as well has how outages will be handled.
I am sure this all seems obvious to us as InfoSec professionals, however we know that organisations fail to take care of security basics like OS and applications patching.