Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Wall street journal 22 sept 10 - perspectives on risk it
1. B6 Wednesday, September 22, 2010 THE WALL STREET JOURNAL.
Special Advertising Section
Special Advertising Section
PersPectives on risk it
Emerging
The technologies,
some in their
Virtual infancy,
make risk
Unknown harder
to gauge
By Joe Mullich
I
n some ways, emerging technologies — like social networks, mobile devices and cloud computing — are reshaping how IT views
risk. In the past, from an IT standpoint, managing risk was about digging technology moats and putting up cyber drawbridges.
Firewalls, anti-virus programs and the like created a strong perimeter defense to protect data from infiltrators.
However, moats and drawbridges are only of val- Then there’s “cloud computing,” the tech buzz- are challenged in coming up with a compelling
ue if what you want to protect is behind the castle word du jour, referring to the housing of corpo- argument against cloud computing because this
walls. Emerging technology provides much of its rate information in a data center controlled by a stuff is developing so fast and they don’t have data
payback because it loosens control on data and, in vendor, which your employees access over the that defines the risk yet.”
some cases, places it in someone else’s castle. Internet. The approach is a no-brainer in terms of They may lack firm data, but they have at least
“In general, there is a move to more mobility and cost savings and efficiencies. The problem is that a vague sense of the potential pitfalls. The Cloud
a less rigidly defined security perimeter, connect- cloud computing can put the company’s crown Security Alliance, an industry organization, recent-
ing to devices, like employees’ personal communi- jewels — its data — at a greater but hard-to-gauge ly produced a report that identified the top threats
cations devices, that you don’t trust,” says James risk, since it inherently requires companies to give of cloud computing.
Slaby, managing director for the Security & up some control of their information. Cybercriminals are now targeting cloud comput-
Networking Practice at TheInfoPro, an independent As Kark notes, the threat landscape is becom- ing because increasingly that’s where the most
research firm. “People understand the business ben- ing increasingly complex, populated less by valuable data is — or will be. One surprising finding
efits of the new environment, but they can’t quite individual hackers who brag about their latest of the TheInfoPro survey is, while companies are
get their arms around the new threat environment.” exploits than by organized, well-funded crime worried about cloud security, the first business
Ironically, he sees this as a positive development syndicates and even state-sponsored agents. Instead function they plan to transition to the cloud is
for IT security. “Before, the tendency in an organi- of “big bang,” headline-making attacks, criminals Human Resources data — which is extremely sen-
zation was to look at threats to the infrastructure now spend months probing a corporate network sitive to identity theft.
and harden the perimeter security,” Slaby says. for weaknesses and then modify The Cloud Security Alliance
“People would lock down the operating systems, that network to provide them with pointed out other reasons for
but they wouldn’t think if a contractor was walking an ongoing stream of information. “Security has to be a portion concern. The software interfac-
out of the company with data on a thumb drive. “The sophistication of the attacks es that customers use to man-
Now the focus is on the security of the data.” is significantly more mature than of the capital budget. age and interact with the cloud
This is a welcomed perspective — if only there it was even a year ago, and so the may be weak and easier for
weren’t so many security concerns to focus on. business impact over time can be It can’t be an afterthought.” criminals to break. Services or
“There is a new universe of threats and attack vec- huge,” Kark says. accounts housed in the clouds
tors that people couldn’t imagine a few years ago — Tom Peach can be hijacked, letting miscre-
that have arrived at a speed that’s shocking,” says Clouded Discussions ants redirect customers to their
Khalid Kark, an analyst with Forrester Research. Cloud computing offers enticing illegitimate web sites. Malicious
Consider workers using social media and personal economies of scale, promising to let insiders at the cloud providers
mobile devices, giving cybercriminals new operating companies dramatically reduce spending on tech- represent a new source of potential data leakage.
systems to attack that IT has not provided safeguards nology infrastructure. It has also forced IT people “Cloud computing is getting a lot of play, but
for. Many companies are finding they must embrace to ponder the unknown risks. In a recent survey from our perspective it’s a little immature in its
these technologies because workers and custom- of 259 large and mid-size organizations by life cycle,” says Tom Peach, CIO of Zurich in North
ers demand them, yet they also offer more “attack TheInfoPro, 72 percent said they were “very” con- America. “Our customers and business brokers
points” for increasingly sophisticated data thieves. cerned or “extremely” concerned about security in demand a rock-solid environment, and we are
The speed of threats is shown in the “Bring a cloud environment. looking at it and testing it out.”
Your Own Equipment” (BYOE) trend — work- They are proceeding, albeit cautiously, because At the same time, Peach, like many IT profession-
ers using personal devices for business reasons. “Businesspeople don’t see this as simply moving als, feels the rising pressure to implement emerg-
It wasn’t even mentioned as a concern in money out of IT infrastructure — they view this ing technology. “I know there are areas within our
TheInfoPro’s last survey of organizations just six as money that can be invested in areas outside company that want to run with this technology,”
months ago, but is emerging as a top security pain IT, such as improving manufacturing processes to
Continued on next page
point in the year ahead. boost margins,” says Slaby. “Security departments
Illustration by Alex Williamson
2. THE WALL STREET JOURNAL. Wednesday, September 22, 2010 B7
Special Advertising Section
Special Advertising Section
he says. There is a lot of heat to move on things like the apply to content on social networks,” he adds, “which
iPhone and the iPad. Our business partners want to be “There is a new universe of threats makes the need for a solid social media policy even
on the cutting edge and there’s increasing demand to more important.”
use these technologies.” and attack vectors that people couldn’t In the current technology arena, “The problem with risk
is that it’s not easy to quantify the business impact,” says
Drawing the Line imagine a few years ago.” Kark. “Traditionally, businesses have accepted risks with
Morgan O’Rourke, director of publications for the a low probability of happening, but now the impact is so
Risk and Insurance Management Society (RIMS), notes, — Khalid Kark large from data loss, including government sanctions, em-
“there is so much risk out there that you have to know barrassing headlines and furious shareholders, that they
where to draw the line.” He points out an emerging risk cannot ignore even the smallest possibilities anymore.”
in the social network arena called niche social book- breach exposes information that a stakeholder might
marking, where people can “tag” or associate compa- consider private and, therefore, worth taking legal Joe Mullich writes about business technology and
nies to specific content — say, Exxon to environmental action over,” O’Rourke says. “This would also other topics.
articles.
“The question is…is that
a risk you want to man-
age?” he says. “You have
to have a thorough un-
derstanding of your risk
appetite, especially as
the definition of risk gets
”We had to move this 700 ton
stretched to include nebu-
lous things that are hard
to quantify, like reputa-
component more than 400 miles.
tion.” He goes on to say,
“Some companies have Scores of risks, but Zurich
their heads in the sand,
but that’s not an option
anymore.”
made us feel confident we
This new world of
security is bringing fun-
damental changes to “the
were well covered.”
professional paranoids” Herbert Peters, Managing Director,
who are charged with Sasol-Huntsman, Moers, Germany
safeguarding data. Secu-
rity departments, which
have traditionally been
organized in silos to
look at discrete network
elements like desktops,
are now reorganizing to
reflect a more overarch-
Integrated insurance solutions for even the most specialized projects.
ing approach.
Over the past year, Zurich We provided Sasol-Huntsman, one of the largest producers of
in North America’s spend-
ing on IT security has risen Maleic Anhydride in Europe, with an integrated insurance and
20 percent while the rest risk engineering solution to address the risks associated with
of the IT budget remained
flat. “Security has to be a moving a 700 ton factory component across Germany. By helping
portion of the capital bud- our customer ensure the necessary precautions were taken, and
get,” Peach says. “It can’t
be an afterthought. “ providing coverage for the entire trip, everyone was breathing
Playing It Safe easy. It’s an example of how Zurich HelpPoint delivers the help
Without question, the businesses need when it matters most. To learn more about this
rush is on to try to se-
cure the cloud. The Cloud case, visit www.zurichna.com/risks
Security Alliance is advanc-
ing best security practices
and recently implemented
the industry’s first certifica-
tion program to ensure IT
professionals demonstrate
awareness of cloud security
threats and best practices.
In Slaby’s view, many
organizations are seeking
to build their “cloud secu-
rity calluses” in lower-risk
scenarios, first by gaining
experience with “private
clouds” within the safety
of their own networks
before venturing out to
true cloud services. As
companies migrate to
the cloud, they are look-
ing to protect themselves
with carefully negotiated
service level agreements
(SLAs) and tools to ac-
tively monitor and verify
the performance of cloud
providers.
Exploring safeguards
now is important, Slaby
notes, because “it will be
hard for business manag-
ers to resist for long. The
compelling cost-arbitrage
benefits of the cloud — its
ability to deliver big sav-
ings in hardware, power
and IT support costs —
will likely force IT security
professionals to figure out
these challenges sooner
rather than later.”
Emerging technology
is prompting companies
to seek other safeguards,
demonstrated by the grow-
ing interest in business
interruption insurance in
case data is compromised
or becomes unavailable
and prevents them from
conducting business as
usual. “Businesses should
also be looking at er-
rors and omissions cov-
erage, which can offer In the United States, coverages are underwritten by member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages not available in all states. Some coverages may be
written on a non-admitted basis through licensed surplus lines brokers. Risk engineering services are provided by Zurich Services Corporation. Zurich Services Corporation does not guarantee any particular outcome and
protection if, say, a data
there may be conditions on your premises or within your organization, which may not be apparent to us.