The "RISKY BUSINESS" Blog

Two studies released today from EMC's RSA security division discuss the increased risks posed by cloud-based services and social networking. The 2009 IDG Research Services survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that nearly half of those surveyed either have enterprise applications or business processes running in the cloud or are beginning migration in the next 12 months. Yet, two-thirds do not have a security strategy in place for cloud computing.

Of particular interest to me was a quote by Dave Cullinane eBay's CISO "We need to develop an intelligence capability so we know what's coming and we can prevent things from happening in the first place, It means moving to a more preventative security model and being able to share information with each other."

Effective information sharing requires trust. So rather than ask the question "Is the cloud vendor/system/ application secure?" ask the better question "Is the cloud vendor/system/application trustworthy?" 

On first blush, the distinction looks rather minor, as many of the "technical" mechanisms that we choose to assess "trustworthy" are in large part the same that we would use to assess "secure" (e.g., vulnerability assessments, penetration tests, audits, third party attestation, etc.).  However, the value of including trust in the assurance process is that it provides an additional set of measures that we can use to enhance the value and accuracy of the more technical mechanisms. That is, by considering the trustworthiness of the individuals, organizations, and systems, the level of assurance (either positive or negative) provided by the provider/assessor is infinitely increased.