Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/24/2009
03:36 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Your Cloud Insurance Policy

Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.

Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.Before software as a service (SaaS), cloud computing, and other nebulous-feeling terms that ultimately mean your data isn't sitting on your servers in your data center anymore, managing risk seemed a whole lot easier. You put in a firewall, set up an IPS, ran antivirus everywhere (yeah, I know, but it's another layer), encrypted your sensitive data, etc., and you were taking action on protecting your data and reducing the risk of exposure.

So how do you address that risk when the data no longer lives on your server, where you can encrypt the hard drive and protect the data if it is ever stolen, or update the IPS rules to protect against new attacks? I've been thinking about this lately because of some upcoming projects, and I'm not sure that it's all that different from what we've been doing in our private lives as consumers, home owners, and drivers of vehicles.

Insurance: Sometimes we buy extended warranties (basically, insurance) that we expect to cover the replacement of a product that is damaged or not working properly. We buy home insurance that says a company will help repair/rebuild our home if something happens that is covered under our contract. Buying into cloud computing and SaaS requires faith in the terms and conditions of our contract that is similar to the faith that we have as consumers and homeowners with our insurance companies.

Moving to a cloud-based solution or SaaS requires that we (including the vendor) agree to the transference of risk. What I'm still not settled on is whether that's a good thing. I've seen many a situation where IT groups would be much better off paying to have someone else manage their services because they were understaffed and had practically no budget.

But who takes the fall if sensitive data is exposed through a hack against the vendor's systems? You, the client. It doesn't matter if it was your system or their system because it was your data to protect. Your company's name will still be the one getting bad press even though you have someone to blame it on.

My question to those of you already using these types of services is: Does the contract state what happens if your data is breached while on servers they manage? Is there some type of coverage for attempting to repair your reputation due to negative PR surrounding the incident? Send me e-mail or leave me your comments below.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.