CIOs Dismiss Cloud Security Concerns

Today I read an article on the web about “CIOs dismissing Cloud Security Concerns”. I found the article quite irritating. Firstly because this has not been my experience in the field, where CIOs are very concerned about security even if simply from a compliance perspective and second because this is only one of a lot of articles I have seen in the latest months trying to downplay security concerns in cloud computing.
Clearly you can start to feel the frustration of many cloud computing providers/vendors about the slow adoption of their new vision of IT by most corporations. And is it really new? I remember, as an ex IBMer the ON DEMAND campaign almost 10 years ago, wasn’t that basically cloud computing? Well, wake up cloud computing providers and start knocking on the doors of IBM/EDS and all other providers of outsourcing services. They have been there before from a security and legal standpoint. They will tell you how painful it will be to convince large corporations to move their crown jewels to the cloud.
Instead of downplaying security concerns, why don’t you map a roadmap to your clients about how you will solve all of their concerns about cloud computing? Large corporations will always test you. You will get a little piece of action (The sandbox environments for example) and will have to prove yourself worthy. Then, if you were successful, you will get a larger part of the pie. What are therefore the security and compliance requirements of corporations that cloud computing providers will have to address in the next years? Here a short list:

  • Robust Access Control Capabilities: (Above all for providers like Google App Engine and Windows Azure)
  • Logging & monitoring
  • Audit trails
  • Long-term Archiving
  • Legal support for cross-national compliance issues (Ever wondered why big outsourcers like IBM/EDS have at least one outsourcing center in every country?)
  • SAS70 certifications and Security SLAs
  • Assurance that the BIG4 Audit companies are going to support this move: If you do not convince Deloitte/E&Y/PwC and KPMG you will be facing an uphill battle

So, dear cloud computing providers, get back to the drawing table and spend some money on these fundamental questions, instead of ridicolous surveys.


The Essence of SOX, J-SOX, EuroSOX and many more

While I was preparing a speach about the influence of national and international laws on the content and design of GRC tools, I did a research and tried to find all the laws and regulations that you need to follow when you run your business.

I started with SOX sections 404 (we all know them well), moved to J-SOX, EuroSOX and then to the national laws of Germany like Abgabenordnung (AO), which is part of the Handelsgesetzbuch (HGB)… it was quite interesting to read all those modern sections detailing out the traditional laws. Well, I continued and looked into the German data protection law “Bundesdatenschutzgesetz”, followed by some research on German corporate governance law KonTraG (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich).

If you then start to look into specific regulations for industrial sectors, you will find many many more – a very prominent one is Basel II for the Banking sector, regulating which risks a Bank should take and which ones are too dangerous because it would burn the substance (equity quotes).

After browsing through German BSI IT-Grundschutz (equivalent to ISO27001), I thought it could be pretty simple… I had three letters in my mind – guess which onesĀ“it could be?

Nothing changed over years and years when those laws were published and evolved. It is all about handling the complexity of more and more information and data which is handled in your IT systems.

In the end, the essence of all those laws is about establishing transparency by building up an Internal Control System. And here pops the Segregation of Duties concept in – a control system means that you need to establish SoD checks and no one should be able to have the power over a full business process. It is all about SoD – nothing more or less…