ebook cloud 9316

7/31/2019 eBook Cloud 9316

1/19

COMPLIANCE WEEKBrought to you by the publishers o

Mobile and Cloud Computing

INSIDE THIS PUBLICATION:

Risks and Benefts o Employee-Owned Devices

PwC: Establishing Trust in Cloud Computing

Improving Data Security or Cloud Computing

GeoTrust: Choosing a Cloud Provider with Confdence

Outlook Improving or Data Security in the Cloud

Improving Data Security for

An e-Book publication sponsored by

7/31/2019 eBook Cloud 9316

2/19

e-BookA Compliance Week publication2

PwC has been providing proessional IT and compliance services or over 100 years. With strong industry credentials and more than

163,000 proessionals in 151 countries, we actively leverage our diverse institutional knowledge, experience and solutions to provide resh

perspectives and signifcant value or our clients.

PwC provides proessional services oering cloud providers and their customers an independent and objective assessment o controls

and policies related to cloud computing technology. As broader enterprise adoption o cloud computing technology emerges, you need IT,

audit, and security proessionals you can trust to help you see through the clouds and protect your assets, technology, and brand.

Our proessionals are recognized throughout the industry or their innovation in analyzing, developing, and implementing tailored solu-

tions or clientsboth within the technology sector and across all industry sectors.

GeoTrust, a leading certifcate authority, provides retail and reseller services or SSL encryption, and website authentication, digital signa-

tures, code signing, secure email, and enterprise SSL products. Products include True BusinessID with Extended Validation SSL Certifcates,

True BusinessID SSL Certifcates, Multi-Domain Certifcates, Wildcard SSL Certifcates, UC/SAN SSL certifcates, Quick SSL Premium Certif-

cates, and VeriSign Certifed Document Solutions, My Credential Certifcates, and Enterprise SSL.

Compliance Week is an inormation service on corporate governance, risk, and compliance that eatures a weekly electronic newsletter,a monthly print magazine, proprietary databases, industry-leading events, and a variety o interactive eatures and orums. Founded in2002, Compliance Week has quickly become one o the most important go-to resources or public companies. Compliance Week nowreaches more than 26,000 fnancial, legal, audit, risk, and compliance executives.

7/31/2019 eBook Cloud 9316

3/19

3

Inside this e-Book:

Company Descriptions 2

Risks and Benefts o Employee-Owned Devices 4

PwC: Establishing Trust in Cloud Computing 6

Improving Data Security or Cloud Computing 10

GeoTrust: Choosing a Cloud Provider with Confdence 12

Outlook Improving or Data Security in the Cloud 18

7/31/2019 eBook Cloud 9316

4/19


By Joe Mont

Fueled by the popularity o the iPhone and iPadandaided by the uncertain uture o Research in Motion,maker o that longtime business staple the BlackBerry

companies are increasingly embracing a bring-your-own-device workplace.

No longer content with just a company-issued desk-top or laptop, employees are looking to thumb their waythrough e-mail and what is oten sensitive company data

whenever, and wherever, they choose on devices they pur-chase themselves. The trend has orced companies to weigh

the benets o a happy, productive workorce with securityissues and regulatory requirements.

I think the BYOD discussion is going to come down

to how much you can get away with beore you introduceharm, says Davi Ottenheimer, president o inormation

security rm Flyingpenguin. I you give employees aworkspace that they are able to own, and run with, they

will be productive. But on the fipside you are also intro-ducing so much more risk, adds Ottenheimer, co-author

o Securing the Virtual Environment: How to Deend theEnterprise Against Attack.

While some companies are embracing the BYOD ap-

proachhappy to let employees bear the cost o hand-helddevicesothers are clamping down on the practice out o

security concerns. For example, IBM recently evicted Sir irom its workplace and banned employees rom using their

own devices, like iPhones, to view company data. IBMcited concern over the way Apples data pipeline between

users and the voice-activated personal assistant couldcompromise security. IBM has a lot to lose i Siri is actu-ally leaking data out, Ottenheimer says.

IBM also bans cloud-based services, like Dropbox, thatare more consumer ocused and dont oer robust, enter-

prise-level security.Mobile computing has dramatically changed how we

exchange data, says Rick Dakin, CEO and co-ounder oCoalre, an inormation technology governance, risk, andcompliance rm. Unortunately the developers o mobile

applications and the cloud services that support them didnot bake compliance and security into the solutions, he

says. I think the rapid change caught developers and en-terprise IT o guard. In a way, it is more than bringing

your own device to work, it is managing compliance in thepost rewall era.

Dakin recalls sitting on a fight recently beside a ellow

passenger who was rantically pounding out an executivebrieng lled with sensitive sales data on a brand new iPad,

using the airplanes insecure WiFia scenario he says is artoo common. The IT department o that enterprise has no

idea what he is doing, has no idea what the access controlsare, has no idea what data is being addressed, no idea how

that data is being transported, and has no ability or access

to wipe that iPad should he lose it, he says.According to Dakin, most companies dont even realize

the security risks they are taking when they allow employ-ees to use their own electronic devices. Can you imaginebeing the internal auditor and going to your board o direc-

tors and saying, Well, I can provide evidence that we havecompliance on these rigorous data protections and intellec-

tual property protection policies that you set on 60 percento our devices. The other 40 percent? We have no clue, hesays.

Some IT security experts say that companies can allowa BYOD approach and still maintain some security stand-

ards. Companies have to nd a way, rom a political stand-point to use compliance to say, You can bring your device,

but we will hold you responsible and we will take action, in

sel deense, to protect our assets, and to make sure the de-vices that are brought in meet our compliance guidelines,

Ottenheimer says.

Embracing BYOD

Astudy o 600 U.S. IT and business leaders conductedin May by Cisco nds that more companies are em-bracing BYOD. IT is accepting, and in some cases em-bracing, BYOD as a reality in the enterprise, the studys

authors wrote.According to the study, 95 percent say their organiza-

tions permit employee-owned devices in some orm in theworkplace. Eighty-our percent o IT departments not only

allow employee-owned devices, but also provide some levelo support and 36 percent o those surveyed say enterprises

provide ull support or employee-owned devices.The trend toward BYOD has both helped and hurt Cis-

co. In May the company announced that while the trend

has led to tremendous interest in its Jabber and WebExcollaboration sotware, these same market transitions

led to a decision to cease development o its Cius tablet.Launched in 2010, the enterprise-ocused tablet ound itsel

struggling to draw market share away rom the consumer-level devices being integrated into the workplace.

The same trends havent been kind to BlackBerry. In

the old days, not that many people really bought a Black-Berry themselves, says Ojas Rege, vice president o strat-

egy or MobileIron, a company that provides enterprisemanagement and security or mobile devices and apps.

The BlackBerry was a business instrument that maybeyou did some personal stu on. Whats changed now is thatevery individual wants a smartphone or a tablet and it is a

personal instrument that they are also going to do businesson. The role has reversed.

Companies have already looked at issues like encryptionand password protections, Rege says. What they havent

done as well is to bridge the gap between implementationand policy, particularly when it comes to privacy issues.

[In the past] they have been able to put policies in place

Risks and Benefts o Employee-Owned Devices

7/31/2019 eBook Cloud 9316

5/19

5

without really having to consider the impact o privacy. In aBYOD setting, with a personal device that is being used or

business, suddenly, privacy becomes relevant, he says. Se-curity is an enterprise worried about losing its data. Privacyis a user worried about losing his or her data. It is exactly the

same problem, but rom two very dierent perspectives.

Protecting Data

The rst step or companies looking to adapt to BYODdemands, Rege says, is to identiy the baseline or cor-porate data protection. They then need to assess what couldhappen to a mobile device that might pose a threat to corpo-

rate data, such as a lost phone or a user who removes pass-word protection.

Similar to how companies deploy data classication pro-

grams, users can have privileges reined in based on their mo-bile devices trust level.

You can say that a highly trusted device, which hasdened characteristics, gets access to all my enterprise re-

sources, Rege says. I the trust level o that device drops,you only get access to e-mail and not an application with

nancial data. I the trust level drops even more, you dontget access to anything. He says the trust level o a particu-lar device can be changed through the day depending on its

characteristics, such as its location or behavior pattern.The mind shit compliance and security teams need to

have is that the user experience is undamental, so anythingthey do on the security side that breaks user experience wil l

just lead that well-intentioned user to go rogue, Rege says.They will just go around it. User experience will actually

trump your security policy.Updating security policies to adapt to mobile devices is

another important step, says Dakin. Most companies havenot, he says. Internal audit requirements also have to be up-dated to account or mobile computing. It is a question o

raising the awareness, because the solutions are there, theydont need to ear migration to mobile, they just need to plan

or it and execute or it, Dakin says.Unortunately, many o the business decision makers,

the ones who allocate the capital, dont understand the tech-

nology, he adds. The early wave o security was all aboutrewalls and intrusion prevention because the bad guys

lived in Russia and they were going to attack us over theInternet. Thats really where their education stopped, with

that rewall mentality o a hard candy outer shell with a

sot, gooey inside.Beyond users, companies also need to navigate regula-

tory hurdles.There are a lot o companies that are worried about

moving orward with next-generation mobile apps becausethey are not sure how to handle their compliance teams and

regulators in a way that gets everyone to a place where theyneed to be, Rege says. I think there are going to be somenew models or how a compliance team is structured and

how the relationship with whatever regulatory body is man-aged on a daily basis.

Ottenheimer predicts that these issues will gain more o-cus as younger people, raised on technology, enter govern-

ment. We are transitioning into the era o the tech-awareregulator, he says.

The ollowing graph rom Cisco shows what is trending now or mobile devices.

Source: Cisco.

MOBILE DEVICE TRENDS

7/31/2019 eBook Cloud 9316

6/19

WWW.COMPLIANCEWEEK.COM 888.519.9200

KNOWLEDGE LEADERSHIP

By Sharon Kane and Cara Beston

Cloud Value PropositionCloud computing has unprecedented po-tential to deliver greater business agilityand exibility while lowering IT costs. Itis no surprise that cloud computing is theastest-growing trend in enterprise tech-nology todayand or the oreseeableuture. Forrester Research, Inc. predictsthe global cloud computing market willmushroom rom $40.7 billion this year to$241 billion by 2020.1

Cloud has already taken ight in manyIT organizations. In PwCs 2012 GlobalInormation Security Survey o morethan 9,600 security and IT leaders, 41%o respondents said their organizationhas implemented some orm o cloudcomputing.2 This is no surprise given theresults o our 2012 Global CEO Survey,which indicated 31% o CEOs expect asignifcant change in strategy related tothe adoption o new technologies likeenterprise mobility and cloud computing

over the next three to fve years.

3

While most CIOs now consider cloudcomputing mature enough or some levelo adoption within the enterprise, theyremain concerned about the risks as-sociated with cloud computing. O par-ticular concern are the risks associatedwith using a public cloud, which is wherethe greatest benefts can be achieved.In an era where corporate governance,

1 Forrester Research, Inc., Sizing the Cloud,

April 2011

2 PwC , 2012 Global State o InormationSecurity Survey, September 2011

3 PwC , 15th Annual Global CEO Survey

2012, January 2012

compliance with regulations, and meetingstakeholder commitments are essentialto a companys reputation, many businessleaders are concerned about how theywill address the issues that surace in ev-ery conversation about the cloud: secu-rity, availability, data privacy and integrity,and compliance.

Moving to the cloud can provide un-precedented benefts, but it can meangiving up some control over these risks.

While businesses can outsource theirsystems, applications, and business pro-cesses, they cant outsource their obliga-tionsto investors, employees, custom-ers, partners, and regulatorsto managerisks. As such, companies need transpar-ency into how well cloud providers envi-ronments address their concerns.

Third-party assurancethat is, inde-pendent reporting solutions to addressthe trust gap between providers and us-ersmay be part o the answer. Withthird-party assurance, an independentand objective organization delves into a

cloud providers environment to identiyand test controls that govern the abil-ity to deliver promised levels o servicealong with sufcient security, availability,

data privacy and integrity, and compli-ance. Gartner, Inc. predicts that by 201640% o enterprises will make proo oindependent security testing a precondi-tion or using any type o cloud service.4

Third-party assurance may be the cata-lyst companies need to embrace cloudcomputing with greater confdence.

Risks with Cloud ComputingSome o the risks associated with cloudcomputing include the ollowing:

Security: In a recent PwC survey, 62%o respondents who outsource ITsay that data security in the cloud isa serious risk.2 Protecting sensitivebusiness-critical data is paramountYou could be at a competitive disad-vantage or subject to negative public-ity and legal or regulatory action iyour intellectual property or otherdata is accessed by other cloud usersor hacked.

Availability: Cloud providers promisecertain levels o availability and up-time, but you have no way o knowingi a provider has adequately preparedor high usage levels across multiplecloud users. This is an especially rel-evant concern or companies consid-ering moving high-volume, data inten-sive, or critical transaction processingto the cloud.

Data integrity: You rely on data toorecast, report on, and manage your

4 Gartner, Inc., Summary Report or Gart-

ners Top Predictions or IT Organizations and

Users, 2012 and Beyond: Control Slips Away,

Daryl C. Plummer, et all, November, 29, 2011

Establishing Trust

in Cloud Computing

Cloud providers promisecertain levels o availabilityand uptime, but you haveno way o knowing i aprovider has adequatelyprepared or high usagelevels across multiple cloudusers.

7/31/2019 eBook Cloud 9316

7/19


business. Inaccurate or incompletedata coming rom a cloud providerssystems could result in poor ore-casting or incorrect public reporting.Your business may also be subject toregulations or legal processes that re-quire ready access to signifcant his-torical data. Without sufcient dataretention and access rights, you maybe subject to fnes and penalties ornon-compliance. Finally, your cloudservice provider may use your data orsecondary purposes i data ownershiprights are not addressed in contracts.

Data privacy: You are obligated toprotect customers and employeespersonal datasuch as social secu-rity numbers, health inormation, andcredit card numbersrom breach-es. Even the loss o relatively smallamounts o customer data has led tobad publicity and brand damage ormany large organizations. Exposingcustomers personal inormation can

also result in fnes.

Cloud computing provides very clearbenefts. However, these advantages re-quire that your organization cede controlover risk mitigation and management to athird-party cloud services provider. Mov-ing to the right cloud provider can helpyour company save money, provide newservices and products to customers, re-spond more quickly to internal IT needs,and expand as business grows. The ques-tion is: How do you choose the rightcloud providerone that will help you

realize business objectives, while reduc-ing risk and providing the trust and trans-parency you need?

Protecting Against RisksCloud providers know that businesseshave reservations about cloud comput-ing, but their eorts to overcome doubtsoten ail to inspire the confdence opotential cloud users. Customers andprospective customers are looking ortimely, useul inormation with enoughrelevance and detail to help them makedecisions and compare providers. Theyalso want proo that a cloud provider isoperating in a way that meets changingregulations and standards set out by gov-ernment agencies, industry groups, andtheir own governance boards.

The amount o comort you will wantto obtain will depend on the risk asso-ciated with your cloud adoption. Cloudproviders may oer the ollowing assur-ances:

Sel-assessments: Providers prepareassessments based on their ownramework, generally ocused on the

documentation o security policies.Even when these assessments arethorough, they are not objective.

Compliance certifcations: Increas-ingly, customers are requiring pro-viders to demonstrate compliancewith a growing number o traditionalstandards, primarily ocused on se-curity. As a result, cloud providersare investing great amounts o time,resources, and eort into compliancewith ISO 27001/27002, the FederalInormation Security ManagementAct (FISMA), the Health InormationPortability and Accountability Act(HIPAA), PCI Data Security Standardsand other standards.

Customer audits: Providers completecustomer-prepared checklists and de-tailed questionnaires about capabili-ties, but a providers need to protectconfdential processes can limit thescope o customer audits. Also, cloudusers need specialized resources toconduct eective audits.

Service level agreements (SLAs):

These agreements spell out the pro-viders obligations, but they oten donot include customer-centric moni-toring o SLA perormance or fnan-cial adjustments or non-perormancethat protect cloud users.

AICPA Service Organization Reports:These reports range rom addressinga providers internal controls as theyrelate to inormation processing sys-tems relevant to fnancial reporting(SOC 1 or SSAE 16) to an assessmentcovering technology related areas

such as privacy, availability, confdenti-ality, processing integrity, and securityo service providers (SOC 2).

PWC

Cloud computingprovides very clearbenefts. However, these

advantages require thatyour organization cedecontrol over risk mitigationand management to athird-party cloud servicesprovider.

7/31/2019 eBook Cloud 9316

8/19



A Cloudy FutureThe technologies and processes used todeliver cloud computing are evolving, andthere are no established technology orcompliance standards specifc to cloud.While existing compliance and regulatoryrameworks were not developed to ad-dress the specifc risks o cloud, the un-damental risks are similar to those risksthat would have been aced with any IT orbusiness process outsourcing.

Emerging control standards are alsounder development, the most prominento which is the Federal Risk and Authori-zation Management Program (FedRAMP).

FedRAMP is a US government-wide pro-gram that provides a standardized ap-proach to security assessment, autho-rization, and continuous monitoring orcloud products and services. Beginninglater in 2012, cloud service providers willbe able to seek FedRAMP certifcation,which will require having an independentThird Party Assessment Organizationperorm an initial system assessment andongoing monitoring o controls. Whilethe FedRAMP program is specifc tocloud providers seeking to do businesswith the government, this ramework

and associated certifcation may providecommercial companies a oundation o

comort that a cloud provider has beensubject to an independent assessment ocontrols relevant to cloud.

Many cloud providers have investedheavily to develop highly secure and avail-able environments. Yet every cloud pro-vider is dierent. To choose a provideryou can trust, evaluate the level o assur-ance they can oer you and supplementit with your own evaluation o controls,as necessary. As standards evolve, cloudproviders may be able to oer a certif-cation that alone satisfes your concerns;

but, until then, third party assurance maybe necessary or you to trust your mostvaluable assetyour brandto cloudcomputing with confdence.

About PwC

PwC has been providing proessional IT andcompliance services or over 100 years. Withstrong industry credentials and more than163,000 proessionals in 151 countries, weactively leverage our diverse institutionalknowledge, experience and solutions to pro-vide resh perspectives and signifcant value

or our clients.PwC provides proessional services oer-

ing cloud providers and their customers anindependent and objective assessment ocontrols and policies related to cloud comput-ing technology. As broader enterprise adop-tion o cloud computing technology emerges,

you need IT, audi t, and securit y proessionalsyou can trust to help you see through theclouds and protect your assets, technology,and brand.

Our proessionals are recognized through-out the industry or their innovation in ana-lyzing, developing, and implementing tailored

solutions or clientsboth within the technol-ogy sector and across all industry sectors.

2012 PricewaterhouseCooper s LLP, a Del-aware limited liability partnership. All rightsreserved. PwC reers to the US member frm,and may sometimes reer to the PwC net-work. Each member frm is a separate legalentity. Please see www.pwc.com/structure orurther details. This content is or general in-ormation purposes only, and should not beused as a substitute or consultation with pro-essional advisors.

To choose a provider youcan trust, evaluate the levelo assurance they can oer

you and supplement it withyour own evaluation ocontrols, as necessary.

ABOUT THE AUTHORS

Sharon Kane ([email protected]) and Cara Beston (cara.beston@

us.pwc.com) are partners within PwCs

assurance practice. They have sig-

nifcant experience working with both

technology providers and cloud users on

evaluating the risks and controls associ-

ated with cloud computing technology.

Kane

Beston

7/31/2019 eBook Cloud 9316

9/19

Turningcloud into

business value

2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer

to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes

only, and should not be used as a substitute for consultation with professional advisors.

One things for sure. The strategy for thecloud has moved beyond cost reductions.The right cloud strategy and executionplan can transform your business. It canmake your business even more agile andcollaborative, increase innovation anddecrease time to market. Which suggests theimportance of developing and implementinga comprehensive cloud strategy that considers

governance, security, and controls along withthe impact on IT. To learn more about howPwC can help turn your cloud strategy intobusiness value, go topwc.com/us/cloud

7/31/2019 eBook Cloud 9316

10/19


More challenges face companieslooking to mitigate data securityrisk

By Jaclyn Jaeger

The advent o cloud computing and mobile devices has,o course, dramatically changed the way employees ac-cess, use, and share inormation, yet the related securityrisks continue to rustrate IT proessionals.

In act, a recent Global Study on Mobility Risks

conducted by the Ponemon Institute reveals the degree towhich mobile devices are circumventing enterprise securi-

ty and policies. According to the survey o more than 4,000IT practitioners in 12 countries, 77 percent said the use o

mobile devices in the workplace isimportant to achieving business ob-

jectives, but 76 percent also believethese devices put their companies atrisk.

We are going through a massivetransormation in our industry, said

Mark Benio, CEO o Salesorce.com at the RSA Conerence in San

Francisco in February. This newworkorce is more open, transpar-

ent, and collaborative.At the same time, there are no easy

solutions to solve the security risks,

even while pressure mounts to miti-gate those risks. Were being required to oer more ser-

vices, mobility, and access while at the same time dealingwith more requirements around governance and compli-

ance, said Symantec CEO Enrique Salem at the coner-ence.

A lockdown mentality is not the answer, said Salem.

We need to stop saying no and partner with our usercommunity. This new world cannot be a choice between

social versus secure; it has to be both, said Salem. The newworld o doing business means enabling interconnectivity,

as well as allowing or strong governance, compliance,and controls.

That push or access to social media platorms and mo-

bile apps is driven by a young generation that has never beentied to a desktop system. Salem described how the digital

native generation, in particular, has orever changed the

way companies conduct business. Typically born in the

1990s, digital natives have never known a time beore theInternet or mobile devices.

Digital natives readily turn to their mobile devices, so-

cial networking sites, and the cloud to solve problems, rath-er than obtaining inormation rom a single source, such as

a search query. This is the uture o business, said Salem.While security problems still abound, great progress is

being made toward getting them solved. Salem oered a list

o three questions companies in every industry must thinkabout to move orward:

How do we manage online identities when our em-

ployees maintain dozens?

How do you protect inormation when the workorce

shares inormation reely?

How do we keep track of a sub-stantially higher volume of online ac-tivity?

I we cant answer these ques-

tions, it will be a barrier to the newworld o business, said Salem. He

described the need or an advancedpersistent protection plan made up

o our essential pillars:

Reliable early warning systemsthat allows you to understand when anew threat is potentially going to at-

tack;

State-o-art protection, one that recognizes threatswithout aecting the corporate inrastructure;

Fast remediation, solutions that can move aster thanthe threat can spread across the company; and

A response plan that includes enorcement ocials

that can help with an ultimate solution.

Companies still have a long way to go, however, whenit comes to adopting necessary security controls and en-orceable policies. According to the study, only 39 percent

have the necessary security controls to address the risks,and only 45 percent have enorceable policies.

Part o the problem is that employees dont always ol-

Improving Data Security or Cloud Computing

We need to stop saying noand partner with our user

community. This new worldcannot be a choice between

social versus secure; it has to

be both.Enrique Salem,

Chie Executive Ofcer,Symantec

7/31/2019 eBook Cloud 9316

11/19

1

low the controls and procedures. In act, 59 percent o re-

spondents report that employees circumvent or disengagesecurity eatures, such as passwords and key locks, oncorporate and personal mobile devices. During the past 12

months, 51 percent o those companies experienced dataloss resulting rom employee use o insecure mobile devices,

including laptops, smartphones, USB devices, and tablets.Its clear that employees are deliberately disabling securitycontrols, which is a serious concern, said Larry Ponemon,

chairman and ounder o the Ponemon Institute.

And the continued migration to mobile devices willonly make matters worse. Tablets and iOS devices are re-placing corporate laptops as employees bring-their-own-devices to work and access corporate information, said

Tom Clare, senior director of product marketing manage-ment of security provider Websense, which sponsored thestudy. These devices open the door to unprecedentedloss of sensitive data. IT needs to be concerned about thedata that mobile devices access and not the device itself.

The study indicates that companies often dont know how

and what data is leaving their networks through non-securemobile devices, which increase rates of malware infections.Fifty-nine percent of respondents reported that over the last

year, their companies experienced an increase in malware in-fections as a result of insecure mobile devices in the workplace,

with another 25 percent unsure if they have or not.As mobile devices become more pervasive and more em-

ployees bring their own smartphones and tablets to work,IT is being challenged like never beore, said John McCor-

mack, president o Websense, a data security rm. Theyneed to immediately protect data, and they need to establishand enorce security practices and policies.

Traditional static security solutions such as antivirus,rewalls, and passwords are not always eective at stopping

advanced malware and data thet threats rom malicious ornegligent insiders.

New Security Tools

To prevent security threats, Christopher Young, senior

vice president at Cisco Systems described the need ormore eective rewalls that can track data as it enters and

leaves a companys systems. Authentication o data alsoneeds to be altered, so that it is as close to single sign-on

as possible, but fexible enough to work across a variety oplatorms, added Salem.

Companies already have available the tools they need to

achieve greater visibility. Today we can access standardlanguage that is directly embedded in routers and switches

that automatically enforces our policies, said Young, who

also spoke at the RSA event. By doing so, the network can

determine several factors, said:

How is that device connectedvia Ethernet or wire-

less?

Whats the device: a PC, iPad, iPhone?

What is the posture o that device: Is it inected, or is

it clean?

Where is that device connected rom, and when?

What makes all this context power is that now legiti-

mate users can saely get access to the resources that theyneed on your network, said Young. This replaces that one

size rst all policy that most organizations are using today.Administrative burdens on users also must be reduced.

Data that leaves the cloud should automatically be tagged,and cloud audit trails need to be set up and monitored, said

Salem. Employees access to accounts also should be disa-bled ater they leave the company.

In a world where uses are bring their own devices towork and where user names and passwords, even the strongones, are easily compromised, Young added, our only wayforward as an industry is to deliver increasingly granular,

context aware, and forced control via the network.

Below is a chart from the Ponemon Institute study that shows re-

spondents perceptions about the use and risks of employees mo-

bile devices (strongly agree & agree responses combined):

Source: Ponemon Institute.

MOBILE DEVICE RISK

0% 10% 20% 30% 40% 50% 60% 70% 80%

0 .00.20 .40.60 .81.0

77%

76%

39%

My organization has the necessarysecurity controls to mitigate orreduce the risk posed by insecuremobile devices.

The use of mobile devices in the workplacerepresents a serious security threat.

The employees use of mobile devices inmeeting business objectives is essentialor very important.

7/31/2019 eBook Cloud 9316

12/19



ExEcutivE Summary

Cloud computing is rapidly transorming the IT landscape, andthe conversation around adopting cloud technology has pro-gressed rom i to when. Enterprises are showing stronginterest in outsourced (public) cloud oerings that can helpthem reduce costs and increase business agility. These cloudservices oer enormous economic benefts, but they also posesignifcant potential risks or enterprises that must saeguardcorporate inormation assets while complying with a myriad oindustry and government regulations.

Many cloud service providers can deliver the security thatenterprises need and SSL (secure sockets layer) certifcates arepart o the solution. More specifcally, SSL is the solution orsecuring data when it is in motion.

The goal o this white paper is to help enterprises make prag-matic decisions about where and when to use cloud solutions byoutlining specifc issues that enterprises should raise with host-ing providers beore selecting a vendor, and by highlighting theways in which SSL rom a trusted certifcate authority can helpenterprises conduct business in the cloud with confdence.

rEadyorNot,

HErE comEStHE cloud

Some people believe cloud computing is the most signifcantparadigm shit since the advent o the internet. Others think its

just a ad. But one thing is or certain: cloud technology is quicklyrising to the top o every CIOs priority list.1 Organizations areaccelerating their uptake o cloud services, and industry analystssuch as Gartner Research estimate that enterprises around theworld will cumulatively spend USD $112 billion on cloud servicesover the next fve years.2

New Opportunities or Business

1 Source: Gartner EXP Worldwide Survey (http://www.gartner.com/it/page.jsp?id=1283413)

2 Source: Gartner Research (http://www.gartner.com/it/page.

jsp?id=1389313)

Most organizations cite cost savings as the most immediate ben-eft o cloud computing. For the enterprise, cloud services oerlower IT capital expenditures and operating costs, on-demandcapacity with sel-service provisioning, and pay-per-use pricingmodels or greater exibility and agility. The serv ice provider, inturn, achieves exponentially greater economies o scale by pro-viding a standardized set o computing resources to a large baseo customers. Many enterprise hosting providers are alreadywell positioned in the market and have the core competencies(people, processes, technology) to deliver the promise o cloudcomputing to the enterprise.

New Security Challenges or IT

Despite the clear economic benefts o using cloud services, con-cerns about security, compliance and data privacy have slowedenterprise adoption. An IDC survey o IT executives reveals thatsecurity is the #1 challenge acing IT cloud services. 3 GartnerResearch has identifed seven specifc areas o security risk4 as-sociated with enterprise cloud computing, and recommends thatorganizations address several key issues when selecting a pro-vider:

1. Access privileges Cloud service providers should be ableto demonstrate they enorce adequate hiring, oversight andaccess controls to enorce administrative delegation.

2. Regulatory compliance Enterprises are accountable ortheir own data even when its in a public cloud, and shouldensure their providers are ready and willing to undergo au-dits.

3. Data location When selecting a hosting provider, its impor-tant to ask where their datacenters are located and i theycan commit to ollowing specifc privacy requirements.

4. Data segregation Most public clouds are shared environ-ments, and it is critical to make sure hosting providers canguarantee complete data segregation or secure multi-ten-

3 Source: IDC eXchange (http: //blogs.idc.com/ie/?p=730)

4 Assessing the Security Risks o Cloud Computing (http://www.gartner.

com/DisplayDocument?id=685308) Gartner, June 3, 2008.

Choosing a Cloud ProviderWith Confdence

SSL ProvideS

a

Secure

Bridge

to

the

cLoud

7/31/2019 eBook Cloud 9316

13/19


ancy.

5. Data recovery Enterprises mustmake sure their hosting provider hasthe ability to do a complete restora-tion in the event o a disaster.

6. Monitoring and reporting Monitor-ing and logging public cloud activity ishard to do, so enterprises should askor proo that their hosting providerscan support investigations.

7. Business continuity Businessescome and go, and enterprises shouldask hard questions about the porta-bility o their data to avoid lock-in orpotential loss i the business ails.

To reap the benefts o cloud computing without increasingsecurity and compliance risks, enterprises must ensure theywork only with trusted service providers that can address theseand other cloud security challenges. Whats more, when enter-prises move rom using just one cloud-based service to usingseveral rom dierent providers, they must manage all these is-

sues across multiple operators, each with dierent inrastruc-tures, operational policies, and security skills. This complexityo trust requirements drives the need or a ubiquitous and highlyreliable method to secure your data as it moves to, rom andaround the cloud.

SSl ProvidESa BridgEto SEcurE

dataiNtHE cloud

SSL is a security protocol used by web browsers and web serv-ers to help users protect their data during transer. SSL is thestandard or establishing trusted exchanges o inormation over

the internet. Without the ubiquity o SSL, any trust over theinternet simply would not be possible. SSL comes into play any-time data changes location. I an enterprise keeps its data in thecloud, secure network access to it is important. Plus, that data

is likely to move around between servers in the cloud whenthe service provider perorms routine management unctions.Whether data is moving between server and browser or be-tween server and server, SSL helps to secure it.

SSL delivers two services that help solve some cloud secu-rity issues. First, SSL encryption keeps prying eyes rom read-ing private data as it is transmitted rom server to server and

between server and browser. The second beneft, possibly evenmore important, is establishing that a specifc server and domaincan be trusted. An SSL certifcate can authenticate that a spe-cifc server and domain do belong to the person or organizationthat it claims to represent. This beneft requires that the hostingprovider use SSL rom a third-party Certifcate Authority (CA).

How Does SSL Work?

An SSL certifcate contains a public and private key pair as wellas verifed identifcation inormation. When a browser (or cli-ent) points to a secured domain, the server shares its public key(via the SSL certifcate) with the client to establish an encryp-tion method and a unique encryption key or the session. Theclient confrms that it recognizes and trusts the issuer o the

SSL certifcate. This process, based on a sophisticated backendarchitecture laced with checks and double-checks or security, isknown as the SSL handshake and it can begin a secure sessionthat protects data privacy and integrity.

GEOTRUST

7/31/2019 eBook Cloud 9316

14/19



Ensuring Data Segregationand Secure Access

Data segregation risks are ever-present in cloud storage. Withtraditional onsite storage, the business owner controls both ex-actly where the data is located and exactly who can access it.In a cloud environment, that scenario is undamentally changed:the cloud service provider controls where the servers and thedata are located. However, a proper implementation o SSL cansecure sensitive data as it is being transmitted rom place toplace in the cloud, and between cloud provider servers and endusers on browsers.

EncryptionBusinesses should require their cloud provider to use a com-

bination o SSL and servers that support, at minimum, 128-bitsession encryption (or, preerably, the stronger 256-bit encryp-tion). This way their data is secured with industry-standardlevels o encryption or better as it moves between servers orbetween server and browser, preventing unauthorized intercep-tors o their data rom being able to read it.

AuthenticationBusinesses also should demand that server ownership be au-

thenticated beore one bit o data transers between servers.

Sel-signed SSL certifcates provide no authentication. Only in-dependent, third-party SSL certifcates can legitimately deliverownership authentication. Requiring a commercially-issued SSLcertifcate rom a third-party Certifcate Authority that has au-thenticated the server makes it virtually impossible to establisha rogue server that can infltrate the cloud providers environ-ment.

Certifcate ValidityOnce a server and domain are authenticated, the SSL cer-

tifcate issued to that device will be valid or a defned length otime. In the rare case that an SSL certifcate has been compro-mised in some way, there is a ail-sae check to veriy that thecertifcate has not been revoked in the time since it was origi-

nally issued. Every time an SSL session handshake is initiated, theSSL certifcate is checked against a current database o revokedcertifcates.

There are currently two standards used or this validitycheck, Online Certifcates Status Protocol (OCSP) and Certif-cate Revocation List (CRL). With OCSP a query is sent to thecertifcate authority asking i this certifcate has been revokedthe certifcate authority answers yes or no. I the answer is no,the handshake may commence. CRL, on the other hand, re-quires that the browser download the most current revocationlist rom the certifcate authority and check the list itsel to seei the certifcate appears in the list.

The Online Certifcate Status Profle (OCSP) standard is con-sidered the more reliable method by many because it is alwaysup-to-date and less likely to time-out due to network trafc. SSLcertifcates that rely only on the CRL standard are less desirablebecause in instances o high amounts o network trafc , this stepcan be missed: some browsers will misinterpret an incompleteCRL review as a confrmation that a certifcate is not on therevoked list, consequently completing a handshake and initiatinga session based on a revoked SSL certifcate. In such a scenarioa rogue server could use a revoked certifcate to successully

Facilitating Regulatory Compliance

Next are the regulatory compliance risks. When it comes to se-cure and confdential data, businesses are burdened with a slewo regulations. These range rom laws like the Sarbanes-Oxley(SOX) Act which aects only public companies, to the Payment

Card Industry SecurityStandard (PCI-DSS), which aects any company acceptingpayment cards, to the ederal Health Insurance Portability andAccountability Act (HIPAA) which aects any businesses witheven the remotest possibility o touching patient data. In Europethere is the EU Data Privacy Directive and Canada has an equiva-lent Personal Inormation Protection and electronic DocumentsAct (PIPEDA).

When an organization outsources IT to a cloud service pro-vider, the organization is still responsible or maintaining compli-ance with SOX, PCI, HIPAA and any other applicable regulations

and possibly more depending on where the servers and thedata are at any given moment. As a result, the enterprise will beheld liable or data security and integrity even i it is outsourced

Since the enterprise IT manager cannot rely solely on the cloudprovider to meet these requirements, the enterprise must re-quire the cloud provider to seek some compliance oversight.

7/31/2019 eBook Cloud 9316

15/19

7/31/2019 eBook Cloud 9316

16/19



A Certifcate Authority that saeguards its global roots be-hind layers o industrial-strength security, employing multiplelevels o electronic and physical security measures.

A Certifcate Authority that maintains a disaster recoverybackup or its global roots

Global roots using the strong new encryption standard em-ploying 2048-bit RSA keys.

A chained hierarchy supporting their SSL certifcates. Atleast one intermediate root in the chain adds an exponen-tial level o encryption protection to prevent attacks to theglobal root.

Secure hashing using the SHA-1 standard to ensure that thecontent o certifcates can not be tampered with.

Additionally, many servers rely on a Debian-based operatingsystem or generating their SSL keys. The undamental encryp-tion capabilities o this system were compromised rom 2006 to2008. Enterprises should make sure their cloud provider is notrelying on servers nor SSL certifcates which may be have beencompromised by this aw. SSL certifcates can be issued or va-lidity lengths o up to six years, so it is possible that SSL with this

aw is still being used.

6

Authentication Generates Trustin Credentials

Trust o a credential depends on confdence in the credentialissuer, because the issuer vouches or the credentials authentic-ity. Certifcate authorities use a variety o authentication meth-ods to veriy inormation provided by organizations. It is bestto choose a cloud provider who standardizes on a certifcateauthority that is well known and trusted by browser vendors,while maintaining a rigorous authentication methodology and ahighly reliable inrastructure.

There are our levels o authentication or SSL. All enable

6 Source: http://voices.washingtonpost.com/securityfx/2008/05/debian_

and_ubuntu_users_fx_yo.html

an encrypted exchange o inormation; the dierence lies withinthe strength o the server and domain authentication in otherwords, the amount o eort put into validating the ownershipand control o that server and domain.

1. Sel-signed certifcates oer zero authentication to enableencryption, and that is all. This type o SSL does not providethe security required by an enterprise.

2. Domain validated certifcates oer only basic authenticationbecause they only confrm that the person applying or thecertifcate has the right to use a specifc domain name. Thesecertifcates are not recommended or server-to-browserconnections because they do not vet or display the identityo the organization responsible or that domain or server.

3. Organization validated certifcates oer reliable authentica-tion or the cloud because they validate that the organizationclaimed to be responsible or the domain or server actuallyexists, and that the person applying or the SSL certifcateor that domain or server is an authenticated representativerom that organization. These SSL certifcates are acceptablechoices or server-to-browser connections, but they do notoer the highest level o confdence-building eatures or theend user.

3. Extended validation certifcates (EV) are the best choiceor server-to-browser connections because they oer thestrongest level o authentication and the clearest validationthat the connection is secure. With EV certifcates, the legalphysical and operational existence o the organization is veri-fed, as is the right o that organization to use that domain.Using EV ensures that the organizations identity has beenverifed through ofcial records maintained by an authorizedthird party, and that the person requesting the certifcate isan authorized agent o the organization.

An SSL certifcate with this highest level o authentication canuniquely trigger unmistakable identifers in an end-users web

browser: a green browser address bar that displays the nameo the organization, and the name o the certifcate authoritywhich issued the SSL. When end users encounter the green ad-

7/31/2019 eBook Cloud 9316

17/19


dress bar, they have complete assurance that their connection issecure. Numerous businesses have reported noticeable uplits incompleted transactions (18 percent on average or VeriSign cus-tomers) ater deploying Extended Validation SSL. For these andother reasons, V is the preerred choice or hosting applicationsand services in the cloud.

coNcluSioN:

gowitH wHat you KNow

SSL is a proven technology and a keystone o cloud security.When an enterprise selects a c loud computing provider, the en-terprise should consider the security options selected by thatcloud provider. Knowing that a cloud provider uses SSL rom atrusted certifcate authority can go a long way toward establish-ing confdence in that providers commitment to saeguardingthe data in its possession.

When selecting a cloud service provider, enterprises mustalso be very clear with their cloud partners regarding handlingand mitigation o risk actors not addressable by SSL. Enterpris-es should consider the seven categories suggested by Gartnerwhen evaluating (and especially when contracting with) cloudcomputing solutions.

Cloud providers should be using SSL rom an established, reli-able and secure independent certifcate authority. Its SSL shoulddeliver at minimum 128-bit encryption and optimally 256-bit en-cryption based on the new 2048-bit global root. And it shouldrequire a rigorous authentication process. The SSL issuing au-thority should maintain military-grade data centers and disasterrecovery sites optimized or data protection and availability. TheSSL certifcate authority needs its authentication practices au-dited annually by a trusted third-party auditor. The GeoTrust,Thawte, and VeriSign SSL brands all oer SSL products thatmeet these requirements.

Learn More

To fnd a trusted cloud service provider that meets the cr iteria outlinedin this white paper, visit http://www.geotrust.com/sell-ssl-certifcates/strategic-partners.html.

About GeoTrust

GeoTrust is a leader in online trust products and the worlds secondlargest digital certifcate provider. More than 300,000 customers inover 150 countries trust GeoTrust to secure online transactions andconduct business over the Internet. Our range o digital certifcate andtrust products enable organizations o all sizes to maximize the secu-rity o their digital transactions cost-eectively.

Contact Us

www.GeoTrust.com

CORPORATE HEADQUARTERSGeoTrust, Inc .350 Ellis Street, Bldg. J

Mountain View, CA 94043-2202,USA Toll Free +1-866-511-4141Tel +1-650-426-5010Fax [email protected]

EMEA SALES OFFICEGeoTrust, Inc .8th Floor Aldwych House 71-91

Aldwych London, WC2B 4HN,

United KingdomTel +44.203.0240907Fax [email protected]

APAC SALES OFFICEGeoTrust, Inc .134 Moray StreetSouth Melbourne VIC 3205

[email protected]

2011 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo,the GeoTrust design, and other trademarks, service marks, and de-

signs are registered or unregistered trademarks o GeoTrust, Inc. andits subsidiaries in the United States and in oreign countries. All othertrademarks are the property o their respective owners.

7/31/2019 eBook Cloud 9316

18/19


By Todd Neff

By now, the benets o cloud computing are amiliar:rapid deployment, scalability, low startup costs, abilityto ocus on the business rather than running data centers,

accounting gains rom expensing costs rather than capital-izing them; the list goes on.

The tally o the clouds principal disadvantages is justas well-known, albeit a lot shorter: data security and com-pliance.

Dont be deceived by imbalance in pros and cons, how-ever; those two drawbacks have cast quite a shadow on

cloud adoption. The good news isthat a combination o IT sel-aware-

ness, savvy dealings with cloud-com-

puting providers, and new sotwareoerings is chipping away at data

security concerns, making the tran-sition to the cloud much less o a leap

o aith.Thats not to say that data security

problems are evaporating. While ex-perts see an increasingly wide rangeo data as cloud-eligible, deciding

what to keep in-house and what tomove to the cloud depends on an or-

ganizations appetite or risk, the val-ue (or savings) the cloud can impart, and the consequences

o losing control over ones data.Dierent types o cloud models have their own data-se-

curity and compliance implicationswhich, in turn, hingeon the nature o the data and processing a company wants tosend to the cloud. Computing vendors host private, public,

and hybrid clouds, where they provide sotware as a service(SaaS)think Salesorce.com; inrastructure as a service

(IaaS), which is server-and-storage or hire; and platorm asa service (PaaS), a virtual sotware-development platorm.

Public clouds, hosted by the likes o Amazon, Microsot,IBM, Google, and many others, are the most economicallyattractive; SaaS and IaaS, on the other hand, are the astest-

growing markets.David Cass, chie inormation security ocer o Else-

vier, a publisher o science and health data, says his organi-zation sees the cloud as an opportunity to let Elsevier ocus

on its strengths, managing content and delivering prod-ucts to customers. Elseviers deault IT position is to thinkcloud-rst or every application and revert to in-house

data centers i the cloud looks too risky, Cass says.

Risk Analysis

The analysis starts with Elseviers enterprise architec-ture committee, because it looks at things strategi-

cally across Elsevier, he says. The rst hurdle is a big oneDoes the proposed cloud application involve what Cass

calls regulated datainormation that alls under thepurview o the Sarbanes-Oxley Act, the Health InsurancePortability and Accountability Act (HIPAA), the Payment

Card Industry Data Security Standard (PCI DSS), or a hosto other laws and industry standards?

I so, Cass says, Elsevier takes the cloud o the tableAs the cloud matures, as security gets better and theresmore visibility into the product, we can revisit some o the

regulated data applications, he says.Applications passing the rst test then go through a

cloud readiness assessment and a se-curity review, Cass says. The move

to the cloud really puts the ocus back

on application security and good ITgovernance, he says.

The cloud readiness assessment re-view involves a hard look at the appli-

cations themselves. Because you maynot have control over a cloud provid-

ers security and rewalls, the keything is to make sure the application isdesigned with security in mind, rather

than having to put security aroundthe application, Cass says.

Douglas Barbin, a director atBrightLine and cloud-security auditor, agrees. Its not just

on the cloud provider and how good they are. It depends onwhat you give the public cloud in the rst place. I youre

doing processing on your end and put personally identi-able inormation in the cloud, the risk is reduced i its en-crypted when it gets there, he says.

The risk is also reduced by nding the right service pro-vider in the rst place, Barbin says. Cloud providers are pil-

ing on certications to demonstrate their commitment tosecurity, including SAS 70, ISO 20000, PCI DSS 2.0, and

others. The Cloud Security Alliance and the Open DataCenter Alliance are also publishing guidance on securitystandards. In terms o auditing, it used to be that the or-

ward-thinkers were doing SAS 70; now [the AICPAs] SOC1 and SOC 2 seem to be more the norm, Barbin adds.

In the Contract

Service-level agreements can shore up cloud security andlessen the risk o moving to the cloud, says ThomasTrappler, director o sotware licensing at the University o

Caliornia at Los Angeles. Trappler, who teaches a seminaron cloud computing contracting, says even HIPAA-class

data could be cloud-ready, with the right SLAs in place andthe right provider.

The cloud provider doesnt necessarily have to under-

Outlook Improving or Data Security in the Cloud

I youre doing processing on

your end and put personallyidentifable inormation in

the cloud, the risk is reducedi its encrypted when it gets

there.

Douglas Barbin,Director,

Brightline

7/31/2019 eBook Cloud 9316

19/19

1

stand HIPAA per se, Trappler adds. HIPAA merely sayshealthcare data must be secure and condential; it doesnt

speciy how to get that done. Once a path to HIPAA com-pliance is dened, a company can wrap an SLA around abundle o servicesencryption, physical security, audit-

ability, and so orththat combine to achieve compliance,he says.

HIPAA [compliance] is an end-state, Trappler says,though he agrees that most organizations will have datathey deem too sensitive to put in the cloud.

Greg Brown, McAees vice president o product market-ing and cloud security, says hosted private clouds, which let

you identiy dedicated physical servers and storage, are thebest bet or audit-sensitive oerings.

Vendors are stepping up with new cloud-security o-

erings, says Rick Holland, a senior analyst covering riskand security with Forrester Research. For example, Okta,

an identity and access management service, oers a way toprovision and de-provision (that means add and delete

in the common tongue) users quickly and across cloud andcorporate platorms. Another, CloudLock, provides a layer

o control and auditability or Google Apps, and, soon, Mi-crosots cloud-based Oce 365.

The CloudLock sotware addresses a common issue: em-

ployees, or even entire departments, are using Google Apps,Box.net, and other cloud-based sotware without the IT de-

partmentsor the compliance teamsknowledge (let a loneconsent). I would dare to say that almost every organiza-tion has a lot more o that going on than they think, Hol-

land says.The big names in IT security are playing in the cloud,

too; McAees Cloud Security Platorm is just one example.It integrates into existing McAee security products with

the dening philosophy that a company should be able to

extend its approach to IT security into the clouds SaaS andIaaS environments, Brown says.

Just because youre embracing the cloud doesnt meanyou have to invent a new security process, Brown says.

The ollowing inormation rom PwC explains what risks are associated

with cloud computing, what cloud providers are doing to thwart risk,

and the benefts o third-party assurance:

With cloud computing, risks include:

SecurityYou could be at a competitive disadvantage or subject

to negative publicity and legal or regulatory action i your intel-

lectual property or other data could be accessed by other cloud

users. The same is true or data viewed and misused by cloud ad-

ministrators.

PrivacyYou are obligated to protect customers and employees

personal data, such as social security numbers, health inormation

and credit card numbers, rom breaches. Even the loss o relatively

small amounts o customer data has led to bad publicity and brand

damage or many large organizations. Exposing customers per-

sonal inormation can also result in fnes.

AvailabilityCloud providers promise certain levels of avail-

ability and uptime, but you have no way of knowing if theprovider has adequately prepared for high usage levels across

multiple cloud users. This is an especially relevant concern for

companies considering moving transaction processing to the

cloud.

Data Integrity, Retention and OwnershipYou rely on data

to orecast, report and manage your business. Inaccurate or incom-

plete data coming rom a cloud providers systems could result in

poor orecasting or incorrect public reporting. Your business may

also be subject to regulations or legal processes that require ready

access to signifcant historical data. Without sufcient data reten-

tion and access rights, you may be subject to fnes, penalties or

judgments or non-compliance. Finally, your cloud service provider

may use your data or secondary purposes i data ownership rights

are not addressed in contracts.

Providers try to address user concerns with:

Sel-assessments: Providers prepare assessments based on arbi-

trary rameworks, generally ocused on the documentation o se-

curity policies. Even when these assessments are thorough, they

are not objective.

Customer audits: Providers complete customer-prepared checklists

and detailed questionnaires about capabilities, but a providers

need to protect confdential processes can limit the scope o cus-

tomer audits. Also, cloud users need specialized resources to con-

duct eective audits.

Service level agreements (SLAs): These agreements spell out the

providers obligations, but they oten do not include customer-

centric monitoring o SLA perormance or fnancial adjustments ornon-perormance that protect cloud users.

SAS 70 reports: These reports address a providers internal con-

trols as they relate to inormation processing systems that support

fnancial reporting. But cloud computing risks go ar beyond those

relevant to fnancial reporting. So while the SAS 70 delivers insight,

it is not sufcient to address the ull scope o risks associated with

cloud computing.

Source: PwC Whitepaper on Protecting Your Brand in the Cloud (De-

cember 2010).

CLOUD COMPUTING RISK ASSESSMENT