Wow, I guess the reason for you clicking on the link is this statement – right? Well, “unfortunately” I cannot claim ownership of it. It was made by a Google representative during an interview in Australia: Google: Who cares where your data is?

To me, the whole Cloud discussion sometimes drives into interesting directions. I often feel that Cloud providers develop a solution and tell the world that the policy decisions were on purpose to protect the customers. Like some providers told the world in the past that you should not care how your data is protected. They take care of your security and you should just trust them – like banks. Nonsense! If you have to prove compliance, you will definitely want to understand how your data is protected and what controls are enforced in the Cloud environment. But as the industry – including the regulators – is still trying to understand the impact of the Cloud, it is a good time to drive such messages and sell the setup as “best practice”.

Things will change and outdated policies will be adopted to today’s reality but making a statement that you should not care where your data is, simply neglects some “minor” obligations you carry like protection of the privacy of the people you have data from… or the fact that you probably not want your state secrets in another country (even though I do not expect a country putting Top Secret material to the public cloud – yet).

Just because the Cloud provider does not know, where your data is does not mean that you shouldn't care…

Roger

I am talking a lot about Cloud Security. There are a few observations I made:

• Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
• A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
• There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

• Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
• Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
• Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
• Endpoint Integrity: As cloud-based services originate--and are then consumed--on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
• Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

We often talk about consumerization of IT. The advantages are huge – and so are the risks.

The key challenge is, that we increasingly started to rely on devices built for consumers to safeguard our company’s – or even worse our country's – secrets. Consumerization is huge and makes a lot of sense from a productivity angle. However, I have not seen too many companies really doing a risk assessment and proper mitigations. It is often a yes or no and where it is a no, the senior leaders of the companies turn it into a yes.

There was quite some debate in this context about Windows Phone 7 and the security features. I am convinced that this is the most secure platform out there currently but we are missing some features like device encryption. On the other hand, I rather have good and strong encryption than one which can be broken in minutes (Phone Security:Lose your Passwords on iPhone in a few minutes).

Looking at these articles, it will be interesting to see, where these trends lead us:

• Federal government loosens its grip on the BlackBerry
• ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps
• Extracting the File System from iPhone/iPad/iPod Touch Devices

Should you ban such devices? Not at all as you will lose this fight but doing a proper risk assessment and mitigation would make sense. What kind of sensitive information do you allow on these devices (do you even have an implemented data classification scheme?) How do you protect your network (what about IPSec?) etc.

We might be missing features and we will deliver them but we all know that the basic security cannot be built into software afterwards and at least we did our homework with Windows Phone 7 there.

Roger

Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2:

• File Classification Infrastructure in Windows Server 2008 R2
• File Classification Infrastructure:More content

In my opinion, this is an interesting tool, built in to your server platform.

Now, we just published a paper about how we use this File Classification infrastructure to protect PII. This is an interesting read: Microsoft IT Uses File Classification Infrastructure to Help Secure Personally Identifiable Information

Here is the summary:

In today's high-tech world, collecting and storing data are business-critical processes that form an integral component of daily operations. However, the ever-increasing dependency on and use of electronic data also make data management more challenging—especially in light of government regulations for the appropriate use and storage of personally identifiable information (PII) and financial information. Improper storage of PII can also be a significant financial concern, as the cost of storage-related security breaches can be hundreds of dollars per record.

Microsoft Information Technology (IT) had been using an internally built solution to help secure personally identifiable information (PII), financial information, and other types of sensitive data by classifying internal file shares and Microsoft® SharePoint® sites. However, this solution was limited to defining information sensitivity at a file-share level. It also required each user to specify the sensitivity level of his or her file shares manually, which frequently led to mislabeled information.

This custom, internally developed solution also had a high total cost of ownership, requiring a significant amount of development and maintenance resources to fix identified issues and keep the system up to date, as each upgrade to the storage operating systems required upgrading the code.

Microsoft IT needed a solution that would bring consistency to the file classification process across all teams, and be able to scan content automatically at the file level for key words, terms, and patterns. It then had to apply the correct rights management protection based upon predefined security policies. Cost of ownership and performance were also important drivers for developing a new solution. Microsoft IT needed a system built from off-the-shelf, standardized Microsoft technology, that could scale across terabytes of data. With such a large amount of information, the solution had to be efficient at scanning files while maintaining a high degree of accuracy when identifying sensitive PII.

Roger

This is actually a great speech but very, very, very scary:

and the scariest part is that I never looked at it that way but he is right

Roger