Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/24/2009
03:36 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Your Cloud Insurance Policy

Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.

Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.Before software as a service (SaaS), cloud computing, and other nebulous-feeling terms that ultimately mean your data isn't sitting on your servers in your data center anymore, managing risk seemed a whole lot easier. You put in a firewall, set up an IPS, ran antivirus everywhere (yeah, I know, but it's another layer), encrypted your sensitive data, etc., and you were taking action on protecting your data and reducing the risk of exposure.

So how do you address that risk when the data no longer lives on your server, where you can encrypt the hard drive and protect the data if it is ever stolen, or update the IPS rules to protect against new attacks? I've been thinking about this lately because of some upcoming projects, and I'm not sure that it's all that different from what we've been doing in our private lives as consumers, home owners, and drivers of vehicles.

Insurance: Sometimes we buy extended warranties (basically, insurance) that we expect to cover the replacement of a product that is damaged or not working properly. We buy home insurance that says a company will help repair/rebuild our home if something happens that is covered under our contract. Buying into cloud computing and SaaS requires faith in the terms and conditions of our contract that is similar to the faith that we have as consumers and homeowners with our insurance companies.

Moving to a cloud-based solution or SaaS requires that we (including the vendor) agree to the transference of risk. What I'm still not settled on is whether that's a good thing. I've seen many a situation where IT groups would be much better off paying to have someone else manage their services because they were understaffed and had practically no budget.

But who takes the fall if sensitive data is exposed through a hack against the vendor's systems? You, the client. It doesn't matter if it was your system or their system because it was your data to protect. Your company's name will still be the one getting bad press even though you have someone to blame it on.

My question to those of you already using these types of services is: Does the contract state what happens if your data is breached while on servers they manage? Is there some type of coverage for attempting to repair your reputation due to negative PR surrounding the incident? Send me e-mail or leave me your comments below.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.