CISOs Rain on Cloud Parade At RSA

Economic pressures are driving more businesses and governments to nervously eye cloud computing, despite myriad unanswered questions that swirl around a single central concern: security. This was backdrop for a panel discussion between CISOs at this week's RSA Conference.

By Ellen Messmer

March 04, 2010 — Network World — SAN FRANSISCO -- Economic pressures are driving more businesses and governments to nervously eye cloud computing, despite myriad unanswered questions that swirl around a single central concern: security. This was backdrop for a panel discussion between CISOs at this week's RSA Conference.

"We're all in dire straits," said Seth Kulakow, Colorado's CISO. "Cloud computing is obviously on everybody's mind." But even if cloud-computing looks like a bargain, "it's got to have the same kind of risk controls you have now."

Also see CSOonline's RSA and B-Sides Wrapup

"It's imperative we look at it," said Nevada's CISO Christopher Ipsen, who had noted that the economic crisis and housing-market collapse have left his state's financial situation "extremely bad."

"We are doing some cloud services with e-mail," said California's CISO, Mark Weatherford. "It's very efficient. We can't ignore the benefits in the cloud, but we have to proceed carefully." The Los Angeles Police Department is regarded as the state's early adopter in all this since it's moving to a cloud-computing arrangement with Google (GOOG).

But giving up control over IT infrastructure and software assets in favor of rental and pay-as-you-go models evokes anxiety, too. "What I'm most worried about is catastrophic failure, and if we put all our eggs in one basket, someone in the middle hold the keys," Ipsen noted.

IT customers are not the only parties that need to evolve their thinking, panelists said.

"The cloud represents a fundamental change in how vendors will work with their customers," said another panel participant, Forrester Research analyst Jonathan Penn. "We need some sort of standardization in this so we can have some way of comparing platforms and levels of service so I can understand what I'm getting."

IDC analyst Chris Christiansen said the cloud security market is estimated at $1 billion, mainly for e-mail and Web services, and trying to track it is going to be a challenge since many new forms of product and service delivery are arising.So, too, are horror stories, including one about an enterprise that needed to pay $170,000 merely to pry its own data back from a cloud service.

"Just about any kind of dispute can arise in a cloud-computing relationship," said Tanya Forsheit, founder and partner at Information Law Group. "The inability to obtain data, the level of data security, the allocation of liability in the result of a breach, and what are the default rules?" Privacy regulations in the United States and Europe, for instance, may mean that certain kinds of sensitive data simply cannot move about freely.

• Print