Re: Trying to manage the move to the cloud

[Leon DuPree <duprleo () GMAIL COM>]

Interesting:

ERP was known for its advantages in terms of process based business
functions and integrated controls that allowed you a level of accountability
that would lend itself to audit and certification opportunities.  Now with
Cloud computing your risk may be measured and perhaps your accountability
segmented, but the process expectations remain the same in terms of delivery
of service.  I always wondered how to reconcile opportunities in cloud
computing with the risk if it is not shared?  Perhaps this more of mindset
than the technology itself.

Anyhoo Great talking points I am mainly listening.

Leon DuPree

On Fri, Mar 11, 2011 at 1:30 PM, Nathan Zierfuss <nathan.zierfuss () alaska edu
> wrote:

> Data protection requirements are also one of the ways we are trying to keep
> sensitive data out of the cloud but starting to think about the next 3-5
> years when more vendors are offering cloud based ERP resources which will
> need to hold sensitive PII or PHI now would be good. Two areas we are
> working on are risk frameworks and liability limitations. Risk frameworks to
> think about what we are and are not willing to accept from a vendor or
> ourselves in the use of cloud based services. Establishing liability
> boundaries in procurements & contracts to know where our risk is by saying
> at point A I'm responsible for this data and what happens to it and at point
> B you are and we have all agreed to it. Rather then the blanket
> indemnification that currently happens in default licensing and contracts.
> Developing these areas now will be key to dealing with the cloud since
> stopping it has not been an effective or efficient tactic.
>
> Nathan Zierfuss, CISSP, Senior IT Security Officer
> -
> Technology Oversight Services, University of Alaska
> 910 Yukon Dr. Suite 105, PO Box 755320
> Fairbanks, Alaska 99775-5320
> -
> Ph: (907) 450-8112  Fx: (907) 450-8381
>
> On Mar 11, 2011, at 7:11 AM, Jeffrey I. Schiller wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Mar 11, 2011 at 10:37:16AM -0500, Bob Bayn wrote:
>
> Our Information Security Policy includes this little statement:
>
>
> "Offsite storage, processing or backup of PSI/CID [private sensitive
>
> information/critical institutional data] must use service providers
>
> evaluated and approved by the responsible data steward in
>
> consultation with OIT. OIT is directed to publish standards that
>
> conform to this
>
> policy<
> https://it.usu.edu/policies/htm/information-security/selection-of-cloud-computing-services
> > ."
>
>
> I like this approach. I am not a big fan of "You may not do that,
> period." style policies. If central IT has comparable solutions to a
> service in the cloud that someone wants to use, that is one
> thing. However often this isn't the case. So if you say "you must use
> central IT's services" and the person needs to use the cloud service
> to do their job, in effect you are saying "you cannot do your job."
> Guess what happens then. And yes, I know that they probably can do
> their job without using the particular cloud service at issue, but it
> probably requires more work (which may not be appreciated by their
> supervisor!).
>
> One of the big challenges that we have in security is getting security
> to align with human nature. When we ask people to do something that
> goes against the grain of human nature, compliance will always be low
> and risk will always be increased. I can rant more on this topic, but
> I won't pollute this thread with it :-)
>
> I would recommend first, a data classification policy. Followed by an
> evaluation of various offering out there and a mapping of which class
> of data is appropriate for which cloud service (if any).
>
>                        -Jeff
>
> - --
> _______________________________________________________________________
> Jeffrey I. Schiller
> Information Services and Technology
> Massachusetts Institute of Technology
> 77 Massachusetts Avenue  Room N42-283
> Cambridge, MA 02139-4307
> 617.253.0161 - Voice
> jis () mit edu
> http://jis.qyv.name
> _______________________________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iD8DBQFNeknD8CBzV/QUlSsRApWmAJ9sIk964Vz5chRhNfvznHBD+KDa1wCg2u3n
> EfgMFVPwex0/4bo4FqcGpaM=
> =Jr4w
> -----END PGP SIGNATURE-----


-- 
Leon DuPree