Digital Discourse / Archives for Security

Debunking the Myths of Cloud Computing: Cloud Computing Is not Secure

June 21, 2011 By

Cloud computing myth #1: “It isn’t secure”

In fact, cloud computing can deliver greater security at lower cost. As the Obama Administration recently said, “Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations.” So why does the myth persist?

In cloud computing, a provider houses and processes the data outside of the facilities and administrative control of the enterprise that owns it. Contractual arrangements and guarantees have to substitute for institutional security measures. This puts a premium on the proper selection of the cloud provider, and that can be scary.

But finding the right cloud provider doesn’t create inherently greater security risks. In fact, storing and processing data in the cloud can increase information security, reduce risks of unauthorized access, and save information security resources.

It is true that storing information in a central place creates a greater incentive for hackers–Willie Sutton robbed banks because that’s where the money was. The more money in the bank vault, the more interested Willie would be. The same is true of information gold: large concentrations of valuable information attract thieves.

But precisely for that reason providers of large data centers take extra precautions. For private clouds, there is really no difference between a large amount of data stored on premises and the same amount stored in a remote facility. They both have to be protected and the safeguards are largely the same. In a public cloud where data from several customers are combined in the same facility, special administrative and physical controls are used to provide adequate protection.

The advantage of centralized data storage is economies of scale, as Darrell West pointed out at a recent Brookings Institution event on cybersecurity. The combined nature of computing resources in the cloud enables providers to enhance such key security techniques as prediction and detection of threats, and to provide for quick remediation through streamlined installation of solutions. A small company cannot afford to hire the best security experts or keep up with the latest and most expensive control technology. But a large data center can. For this reason, cloud storage for smaller companies is more secure than local storage.

There’s no question that providers of multi-tenant cloud architectures must take special precautions. But that is true in many industries. To meet the special needs of the payment card industry, the card networks developed the Payment Card Industry Data Security Standard (PCI DSS), which put in place specific requirements for those who store process or transmit cardholder data. The same can take place in the cloud industry pursuant to a variety of information security initiatives.

Some have thought that special security needs for an industry should mean special security laws for that industry. But that is a mistake. The payment card industry developed PCI DSS autonomously – with no involvement of regulators or legislators. Moreover, regulators should not be mandating specific standards because it can freeze innovation where it is needed most–in developing new techniques to protect data. For this reason, special security laws applicable only to the cloud environment are not necessary.

Can the cloud be new and scary from the point of view of information security? Yes. But it is important to locate the true source of the fears. It is not an intrinsic riskiness of the cloud environment. The cloud is as safe as or safer than on-premises computing. The real concern should be finding the right provider who can deliver the increased security that the cloud makes possible. The industry needs to develop mechanisms that can help cloud customers make this decision with a greater sense of confidence.

Share|
Filed Under: All About the Cloud, Cloud Computing, Cloud/Gov, Government, Policy, Policy - Cloud Computing, PSIG, Software, Software Events Tagged With: , ,

Announcing CEO Interview Publication: SIIA’s Vision From The Top

April 18, 2011 By

SIIA is launching a new publication at this year’s All About the Cloud conference, “SIIA’s Vision From The Top”!

The publication brings together thought leadership from over 45 of SIIA Member companies. Their CEO’s were asked to address the past, present and future changes in the software industry.

Share|
Filed Under: All About the Cloud, Cloud Computing, Government, Mobility, Security, Social Media, Software, Software Events Tagged With: , , , , , , , , , , , , , ,

‘It’s Time to Sell the Yugo,’ or ‘Why Software Compliance and Piracy Enforcement Needs a 25 Year Upgrade’

February 1, 2011 By

Written by Jim Nauen, VP, Global Sales

A few weeks ago as I was getting ready to speak at a local HTCIA chapter in California, I started thinking about how little progress has been made in Software Compliance over the last 25 years. Having recovered over $130 million in compliance revenue over the last 20+ years for a number of large and small software vendors, it seems in 2011 that Software Compliance and Piracy Enforcement is still largely a matter of blind luck for many software vendors.

Hit or miss manual audits, whistle blower leads, channel partner tip offs, even mystery dialing are still the main source of overuse and piracy enforcement leads 25 years later, which is like driving in the dark with your headlights off and hoping to find the road. In keeping with the 80s, let’s call it the Yugo strategy of compliance revenue recovery. Why would you wait and hope that these leads come to you, instead of using modern methods of aggressively tracking and pursuing companies illegally using your software?

To continue reading this post, please visit the V.i. Labs blog.

Jim Nauen

Share|
Filed Under: Cloud Computing, Government, Security, Software Tagged With: , , , , ,

FedRAMP is key to “Cloud First” Federal policy; security controls pose a hurdle

January 18, 2011 By

Without question, the Federal Government has accurately identified cloud computing as a great opportunity for significant cost savings, flexibility, fast deployment and lower risk of project failure across all agencies.  In December 2010, U.S. Chief Information Officer Vivek Kundra unveiled the 25 Point Implementation Plan To Reform Federal Information Technology Management, which lays out an 18-month execution strategy to improve Government efficiency, effectiveness, and service delivery.

One of the key components of the plan is the launch of a “Cloud First” policy, where each agency CIO will be required to begin migration of multiple services to the cloud in the next 12-18 months.  Central to the effort to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products is FedRAMP (the Federal Risk and Authorization Management Program), a program that proposes to provide joint authorizations and continuous monitoring for government and commercial cloud computing systems intended for multi-agency use.

While it’s a laudable goal to streamline and simplify cloud computing security risk assessment controls across agencies and to ease the certification process, the most recent draft FedRAMP still suffers from being an impractical high-bar approach to achieve the “approve once and use often” goal for cloud computing implementation across agencies.  With the clock ticking on the aggressive “Cloud First” implementation timeline, SIIA submitted comments highlighting the various challenges posed by the current proposal.  Fortunately, Vivek Kundra and key Federal IT leaders continue to demonstrate a dogged determination to make the cloud first policy a success, so hopefully there’s still time to fix FedRAMP and begin migrating to the cloud.

To that end, SIIA’s Cloud/gov conference couldn’t come at a better time this year, as agency CIOs assess the opportunities and challenges presented by this new policy.  On February  17th, the conference will provide a timely opportunity to hear from Federal IT leaders from GSA, NIST and NASA, and talk with colleagues from other agencies about the opportunities and challenges presented by the new Cloud First policy.

For more SIIA policy updates, subscribe to the Digital Policy Roundup, SIIA’s weekly policy email newsletter.

Share|
Filed Under: Cloud Computing, Digital Policy Roundup, Policy Tagged With: , , , ,

SIIA CEO Interview with Bill Loss, SaaShr.com

January 7, 2011 By

What will the software industry look like in 3, 5, even 10 years from now? And what customer demands and business trends will drive changes in software products, how they’re developed, and the industry that provides them?

Given the dynamics of innovation and ever-changing user landscape, in many ways it’s difficult to predict what the software industry will look like in 3 years let alone 5 or 10 years. With this said, however, here are some thoughts for consideration.

Security: Security will ultimately be linked more often to an individual’s biometric markers. The trend continues towards multi-factor authentication where both physical and virtual considerations prevail. As advancements in security technology are achieved, cyber criminals will also continue to advance and keep this segment of the software industry ever-changing.

Private, Public and/or Hybrid Clouds: The existence of all three may very well be a reality for years to come. With most business decisions, associated risk must be well balanced with specific technology advancements to determine appropriate IT decisions. When it comes to private and public clouds, attention will remain focused around the sensitivity of intellectual property and related data which is collected, processed and stored. [Read more...]

Share|
Filed Under: All About the Cloud, Cloud Computing, Mobility, Security, Social Media, Software, Software Events Tagged With: , , , , , , , , , , , , , , ,
Newer Posts »