Today started with a stereotypical cloudy rainy morning in San Francisco. This was appropriate because I spent a lot of time in the Cloud Security track and listened to a lot of panel conversations on the Cloud. The panel members worked for some pretty big companies like eBay, USAA, and Bank of America. I also had the opportunity to sit in on a Peer2Peer Session discussing the Cloud. There were a lot of recurring themes I observed running through all of these conversations.
1. My security controls must focus on the data.
The data is where the value resides. The only reason we have a vast majority of our security controls in the first place is to protect the data. The controls are there to protect the confidentiality, integrity, and availability of the data because it is what ultimately drives revenue and profit. That data could be intellectual property that gives us a competitive advantage or it could be the card holder information we use to extract payment for goods and services rendered. The data is the manifestation of value for most of our organizations.
2. Authentication and authorization data is the most critical data set.
Authentication and authorization data is the most important data set because it determines who can see the data and how they can use it. I think this data also forms the basis of trust in the systems holding the data. We can only trust when we know who the person is, which determines what authority we give them.
3. Cloud services are young and immaturure, which create uncertainty. Start liking it, because is ain't gonna change.
One observation that was very clear is that no one is exactly sure of what they are doing with regards to the Cloud. We have a lot of good ideas but we're still experimenting to see what works best and what doesn't work at all. The Cloud Security Alliance seems to be the best place to find sound Cloud practice right now. This creates uncertainty in spades. We need to get used to the uncertainty and embrace it. This leads me to my last observation...
4. I need to communicate the risk associated with the Cloud effectively to my business leaders in terms they understand.
I barely have my head around the risk of the Cloud, how can I expect execs to understand the risk when they only know it as a buzzword? If I were to explain to a C level executive that we have a high risk to data compromise if we store it in a Cloud service with a multitenancy architecture, they will look at me they way my dog looks at a noise it doesn't understand. If I'm lucky. I need to go to my business leaders and tell them using the Cloud service in question will result in an annualized risk of between $25,000 and $75,000. They totally get that and can compare it the projected annual savings.
I also attended a session describing the psychology of Internet predators. This was enlightening as it discussed the framework the predators use to manipulate their victims. Quite frankly, anyone can use the principles in the same way. It was a handy piece of information have in my hip pocket.