Information Security Blog

Information Security — Do you Trust the Cloud?

Two studies released today from EMC’s RSA security division discuss the increased risks posed by cloud-based services and social networking. The 2009 IDG Research Services survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that nearly half of those surveyed either have enterprise applications or business processes running in the cloud or are beginning migration in the next 12 months. Yet, two-thirds do not have a security strategy in place for cloud computing.

Of particular interest to me was a quote by Dave Cullinane eBay’s CISO “We need to develop an intelligence capability so we know what’s coming and we can prevent things from happening in the first place, It means moving to a more preventative security model and being able to share information with each other.”

Effective information sharing requires trust. So rather than ask the question “Is the cloud vendor/system/ application secure?” ask the better question “Is the cloud vendor/system/application trustworthy?”

On first blush, the distinction looks rather minor, as many of the “technical” mechanisms that we choose to assess “trustworthy” are in large part the same that we would use to assess “secure” (e.g., vulnerability assessments, penetration tests, audits, third party attestation, etc.). However, the value of including trust in the assurance process is that it provides an additional set of measures that we can use to enhance the value and accuracy of the more technical mechanisms. That is, by considering the trustworthiness of the individuals, organizations, and systems, the level of assurance (either positive or negative) provided by the provider/assessor is infinitely increased.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results