informa
/
Commentary

Your Cloud Insurance Policy

Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.
Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.Before software as a service (SaaS), cloud computing, and other nebulous-feeling terms that ultimately mean your data isn't sitting on your servers in your data center anymore, managing risk seemed a whole lot easier. You put in a firewall, set up an IPS, ran antivirus everywhere (yeah, I know, but it's another layer), encrypted your sensitive data, etc., and you were taking action on protecting your data and reducing the risk of exposure.

So how do you address that risk when the data no longer lives on your server, where you can encrypt the hard drive and protect the data if it is ever stolen, or update the IPS rules to protect against new attacks? I've been thinking about this lately because of some upcoming projects, and I'm not sure that it's all that different from what we've been doing in our private lives as consumers, home owners, and drivers of vehicles.

Insurance: Sometimes we buy extended warranties (basically, insurance) that we expect to cover the replacement of a product that is damaged or not working properly. We buy home insurance that says a company will help repair/rebuild our home if something happens that is covered under our contract. Buying into cloud computing and SaaS requires faith in the terms and conditions of our contract that is similar to the faith that we have as consumers and homeowners with our insurance companies.

Moving to a cloud-based solution or SaaS requires that we (including the vendor) agree to the transference of risk. What I'm still not settled on is whether that's a good thing. I've seen many a situation where IT groups would be much better off paying to have someone else manage their services because they were understaffed and had practically no budget.

But who takes the fall if sensitive data is exposed through a hack against the vendor's systems? You, the client. It doesn't matter if it was your system or their system because it was your data to protect. Your company's name will still be the one getting bad press even though you have someone to blame it on.

My question to those of you already using these types of services is: Does the contract state what happens if your data is breached while on servers they manage? Is there some type of coverage for attempting to repair your reputation due to negative PR surrounding the incident? Send me e-mail or leave me your comments below.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading: