My presentation at Interop tomorrow is called “Compliance in the Cloud – Unfiltered and Unplugged”. I will present a picture of how regulations affect cloud environments and what customers should know about compliance and security.
The Reuters storyline today has a lot of doom and gloom about cloud in an article called “Sony Woes May Cause Some to Rethink Cloud Computing”:
“Nobody is secure. Sony is just the tip of this thing,”
I would love to agree, as it’s great for business, but let’s be honest. It’s not a great surprise. It’s not a tip. It’s more of the usual. When you look at a high-risk operation with valuable assets and poor security practices you can’t stand up and say “nobody is secure”. That’s like watching someone blow their arm off after lighting a stick of dynamite by hand and saying “nobody can prevent that”. We know what has to be done.
Sony could have done a much better job protecting themselves. I am limited in what I can say about the details, but let me also just be circumspect and say that the security industry also can do a better job protecting Sony.
The lesson here is far less of a giant leap of faith or transformation and more about management learning to truly accept the basic tenets of compliance — “wax on, wax off” routine practices — rather than adopting x or y technology.
“You would have thought a big time reputable company like Sony would be running up-to-date, patched software with an appropriate firewall,” he said. “If Sony didn’t do this, which other big, reputable companies aren’t doing this?”
I gave numerous examples at RSA 2011 in SanFrancisco of why this is a fallacy. Anyone who attended my presentation would not have thought that.
“There’s nothing from the government or regulatory industry that says anything about how to run a shop,”
Not true. Tomorrow you will see a more accurate representation of the status of compliance in the cloud. I will present, in my usual contrariwise style, the opposite view of this Reuters article and explain how the government and regulatory industries say a lot about how to run a shop. In other words, come hear how the Sony and Amazon incidents are catalysts of compliance.
Although I have said before that the cloud has to catch up to compliance, I recently have had to confront the fact that auditors and assessors tend to make five major mistakes when looking at cloud environments. Tomorrow I also will explain why and how to improve the quality of cloud audit.