• United States



by David Geer

Cloud security rebuttal: Don’t rebuke the many for the sins of the few

Jan 22, 20135 mins
CIOCloud SecurityCSO and CISO

Long-time cloud security advocate Chris Hoff challenges our recent '7 deadly sins' story

Did CSOonline’s 7 deadly sins of cloud computing story lack enlightenment?

One well-respected cloud security figure —Christopher Hoff, Chief Architect for Security at Juniper Networks—tweeted a response to the story, saying “Reading stuff like this sucks my will to live.”

We asked Hoff to elaborate. It appears that the cardinal offense was castigating the innocent together with the guilty, when many organizations already refrain from committing the seven cloud mistakes the feature calls out.

But, how do we separate the innocent from the guilty? According to Hoff, the innocent include any number of well-initiated CSOs, CISOs, and CIOs at large enterprises, while the guilty are almost certainly among the scrappy-if-under-resourced SMEs / SMBs and start-ups. Read on as CSO magazine explores Christofer Hoff’s analysis of the “7 deadly sins” story’s targeting and audience—and what to do better next time.

Wait a Minute—Who’s Doing This Stuff?

In a recent conversation with CSO magazine, Hoff argued the need to clarify the real audience for basic cloud security information.

“A CIO of a Fortune 500 company—and I will pick any one of the twenty I have spoken to in the last three months—would probably be offended by the notion that you are making them seem like they don’t do their job,” says Hoff. Hoff makes a respectable three-part argument for why the article offends large enterprise C-levels, based in part on why they are unlikely to commit the seven sins to begin with.

[Also read 5 more key cloud security issues]

First, according to Hoff, every one of the sins can be applied in generic logic to any case where a security C-level is outsourcing any new service or bringing any new disruption in technology online.

“A CIO of a Fortune 500 company—and I will pick any one of the twenty I have spoken to in the last three months—would probably be offended by the notion that you are making them seem like they don’t do their job.”

Christofer Hoff, Chief Architect, Security, Juniper Networks

“There is nothing particularly unique about the difference between ASP [and] SaaS from a security perspective that we haven’t dealt with iteratively every time we’ve had an inflection point in compute,” Hoff says. So, by the time an IT or security leader reaches C-level status at a large enterprise, he has already learned to apply the same logic elsewhere, and thus has the drop on those seven deadly sins.

Second in Hoff’s argument is the premise that the amount of written advice, guidance, and enumeration of these issues and others like them is already extensive. The Cloud Security Alliance (CSA), which Hoff participates in, put together a cloud security guidance covering three major areas including architecting the cloud, using the cloud, and governing the cloud.

“There are 13 categories [within those areas] in the CSA Guidance that go into in-depth detail,” says Hoff. The first chapter of the guidance about architecture summarizes what is the same, and what is different, in the cloud as well as what a C-level leaders should anticipate from a security perspective and a compliance perspective.

So, in summary, Hoff adds, these first two points suggest what is tiresome about the seven deadly sins article: This logic is already apparent in IT in general, and the industry has done a lot of writing on the subject.

Now the third premise. “When we look at why we are still required to bring this up over and over again,” Hoff explains, “it is [because] we tend to generalize. Your article talks about CXOs and kind of almost indicts [them] as a group … and not just your article, but lots of them, right?”

If there is a segment with members who could benefit from the seven deadly sins feature, Hoff continues, it’s the SME / SMB market. “Where your article rings true and is probably more realistic is with the smaller enterprise that doesn’t actually have a CIO or a formal, rigorous [security planning] process. They listen to stories and hype and take [them] at face value and they make make those mistakes because they don’t have the process, the bandwidth, and the expertise” to avoid them, says Hoff.

Go Forth and Stop Doing That

Rather than the generalization, Hoff would like to see some specificity broken down by market segments.

“If I take survey studies based on market segments of SMBs / SMEs or startups vs. established enterprises, how do they map against these concerns, these seven sins?” Hoff asks. Which market segments are making these cloud mistakes? Does each cloud sin really have the same potential outcome—the same risk associated with it based on the types of applications, activity, intellectual property, and business impact it may generate—in each market segment?

“So, say I am a Mom & Pop plumbing supply store,” Hoff says by way of illustration. Hoff’s store balances its risk and exposure against the seven deadly sins. In this scenario it will cost the store $25 a month, plus associated risks, for a service that it would otherwise have to spend thousands of dollars on to properly administer and buy the right hardware (and everything else). “Your sins are irrelevant to me. I am going to commit every single one of them and 200 more,” Hoff says, laughing.

“Now, if I am an enterprise, it is a different story,” Hoff continues. There is more complexity; the enterprise is more highly regulated. It has different priorities, different assets to protect, and the customer base is different.

“Here is the thing of interest,” Hoff summarizes: “Tell me what I can do as measured against the target market. You say, hey, you shouldn’t sign up a cloud solution product without going through IT security enrollment. But what if I do? What does that mean? What are the potential outcomes?” Do likewise for all the sins.