After the end of quarter madness calmed down on Friday afternoon, I had a few minutes to reflect on an interesting panel discussion I sat on (to which I was almost late). I was speaking with a group of underwriting and legal professionals about cloud computing and the security and compliance problems it presents. The fear in the room was nearly tangible.

The Storm is Coming, by innoxiuss

As with most issues relating to information security, it all comes back to the data. Cloud services are perfect for some applications, and downright frightening for others. It’s not to say that certain cloud types are inherently more insecure (although in some cases they are), but it’s more about the structure of the cloud services as it relates to the economic cloud model. Cloud services that look better economically may have an inverse relationship with security (maybe like the Security/Functionality continuum?).

The economic power of Software as a Service (SaaS), which is typically deployed in a public cloud manner, is more than compelling. Paying for software or hardware at low monthly prices that would normally cost millions is attractive to big and small businesses. But with a low, utility-like cost comes assumptions and a Teflon-like contractual liability position that could leave you in the lurch when bad things happen.

In order to figure out how to leverage cloud services in your enterprise, you must know what data your company stores, processes, transmits, and maintains1 for business purposes, and where those things happen. It’s a daunting task, I know. But rest assured, the vast majority of companies have only partially completed this task. Starting this task today may be playing catch-up, but not by too much. Once you know the what and where, you can focus on the how.

Public data, or any data that is not regulated and may not need to be kept in the same vault as the Coca Cola formula, is an excellent candidate for a public cloud solution. It could be things like an e-tailer’s product catalog or an airlines fares and route map2. If your business is such that you spend an abundance of resources on public data, and your peak times are infrequent (such as Cyber Monday), putting that data into a public cloud makes sense.

Private data or regulated data can still go into a cloud service, but the contracts and cost are much different making the economic model is much less favorable3. Cloud providers that knowingly house sensitive data should be responsible for securing it, complying with any international or sovereign territory laws associated with the data, and should take on liability in their contracts to ensure that if you are party to a lawsuit for something they did, you can reduce some of your legal risk. Since many cloud providers are essentially CPU cycle sellers, they may have overflow capacity built into their Service Level Agreements (SLAs) with you to ensure they can continue to provide good service. This may mean that a third-party’s third-party might be handling your sensitive data.

That is scary.

Cloud services represents a transformation in the way we handle information that is too compelling to ignore. We must lay the groundwork as security professionals for a safe and sensible migration to this type of technology.

And it all starts with the data!

This post originally appeared on BrandenWilliams.com.

  1. Let’s differentiate store from maintain, whereby storage is just sitting there, and maintained data is kept up to date. []
  2. If you think this stuff is secret, think again. []
  3. Though in many cases, still more favorable than investing in idle bare-metal boxes. []