October 2010 Archives

Keeping Clouds Tethered to Enterprise Security Policies

| 0 Comments | 0 TrackBacks
Don't Let That Hosted Security Service Float On Its Own

At the recent ASIS 2010 conference, several presentations focused on using cloud-based security applications. Instead of installing servers and infrastructure to support access control, video surveillance, storage, analytics and more, security professionals can now contract for these services from third parties who deliver them via the Internet.

It's the "third party" aspect that gives some people pause about the cloud. According to IBM's Institute for Business Value 2010 Global IT Risk Study, the security of computing in the cloud is still prohibiting wider adoption of hosted solutions: 77 percent of respondents believed that adopting cloud computing makes protecting privacy more difficult, 50 percent are concerned about a data breach or loss and 23 percent indicated that weakening of corporate network security is a concern.

Earlier this month, IBM introduced a suite of services designed to help enterprises develop strategies to ensure their use of cloud applications is secure. To learn more about what physical security professionals should consider when evaluating cloud-based solutions for their needs, Security Squared spoke with Jason Hilling (photo below right)
managed security services portfolio manager, IBM Global Technology Services.

What follows is a transcript of our conversation, edited for clarity and length.


************

Sharon J. Watson, Security Squared:
I'm trying to help our audience understand what some of the criteria are they could use to evaluate the security of cloud offerings. Are there checklists or particular certifications out there today they can look for?

Jason Hilling, IBM
: What people need to think about is that securing the cloud is all about securing the data that's within it. That's a common IT practice that we've all been comfortable and familiar with, developing and refining over the many years we've been supporting enterprise networks inside of our own data centers as well as in hosted data center environments.

When you think about putting data in the cloud, like digital video data, you need to look at it from a methodology perspective. You need to assess the types of data or types of workloads that are going to work for your organization in the cloud, because security isn't a one-size-fits-all endeavor. Every individual vertical industry has different requirements and different regulations it needs to adhere to. There really isn't a single silver bullet recommendation that says, go watch for XYZ. You need to strategically look at the workloads and understand, from a risk tolerance perspective, which are the ones that can be moved outside of your organization.

October 2010 Archives