What's Most Misunderstood About Cloud Computing?
H. Peet Rapp is an information security auditor who sits on ISACA's Cloud Computing Work Group, and he's co-author of the white paper Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.
In an exclusive interview, Rapp discusses:
Rapp entered the IT audit/compliance profession in 2003, after publishing the widely read paper "An IT Executive's Overview of the Sarbanes-Oxley Act of 2002." With his firm, Rapp Consulting, he has audited, provided risk assessments and developed IT control frameworks for more than 70 organizations and developed a reduced IT control set for non-accelerated filers.
TOM FIELD: What is the latest on the state of cloud computing? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today With H. Peet RAPP, a member of ISACA's Cloud Computing Workgroup, and the co-author of a new white paper, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. Peet thanks so much for joining me.
H. PEET RAPP: It's great to be here, Tom.
FIELD: Maybe you can start out by telling us a little bit about yourself and your current work please?
RAPP: Sure. I am a Certified IT Auditor, a CISA, and nearly a Certified Information Security Manager, known as a CISM. Now, I am between assignments, and during this time I have had the opportunity to go deep into the cloud and become aware of the various different IT security issues you are going to find in cloud computing today.
FIELD: Now, we mentioned up front you are on ISACA's Cloud Computing Workgroup.
RAPP: That's correct.
FIELD: What is this group, Peet and what is the role of this group?
RAPP: ISACA's Cloud Computing Workgroup consists of IT security and audit specialists from across five different continents, all ISACA members, and we came together last month and identified the various different IT security concerns in the cloud, and we are going to be providing this information in a book, which is currently being written, hopefully to be published by this coming July.
FIELD: Well, big question for you now, given all of the talk about cloud computing. What would you describe as the state of cloud computing today and maybe separating some of the myths from the realities?
RAPP: Okay. What has been unfortunate in a lot of the media hype today regarding cloud computing is coming from the various different cloud service providers hoping to gain traction with potential prospects. The cloud offers clients supposedly unlimited benefits of scalability, on demand computing needs, able to provide services on an as used basis with little to no capital expenses. In other words, if you use a lot of the service, you pay for that. It is pretty much equating cloud computing very much the same as any other utility such as gas or electricity -- you pay for what you use. Unfortunately, what has been coming through in these presentations doesn't include what is not becoming recognized as serious cybercrime. One of the things that is going to be happening in cloud computing is various different clients databases are going to be aggregated into one cloud. So, if a cyber criminal comes into one cloud, they are going to have access not to one client's database but dozens, perhaps even hundreds. So, you are getting these very, very large balls of low hanging fruit that could be accessible to these cyber criminals, and this is no laughing matter. Security criminals out there today are increasingly sophisticated, and they are going after these types of data for money for profit. In fact, cybercrime several years back surpassed the loss to society that had been ongoing from, say, illicit drugs.
FIELD: So, given the landscape and all the conversation that we hear about cloud, what would you isolate as being most misunderstood about cloud computing in the marketplace today?
RAPP: The most misunderstood stuff about cloud computing today is basically the issue of cybersecurity. Again, little to nothing in the media has been devoted to cybercrime/cybersecurity issues, and I believe a good understanding of cloud computing today was that for every business advantage afforded through cloud computing, you are going to have an equal level or even a greater compelling issue in cloud security risks.
FIELD: Now, Peet, we talked up front about this white paper that you have co-authored. Can you tell us a little bit about it please -- its major themes and then where, of course, people can find it?
RAPP: Yes. The major theme of the paper primarily -- and this is a key issue -- is the identification of the terminology used in defining the various different aspects of cloud computing. Now ISACA, in addition to the Cloud Security Alliance, has accepted and adopted the terminology first defined by the National Institute of Standards and Technology, or NIST.
Too often you can get into arguments and discussions about cloud computing, and you and the other person you are talking with have two different concepts of the various different terms. So the first thing out of the gate is to make sure everyone is talking apples to apples when we go into the cloud.
The second theme of this paper is essentially identifying the proper balance of what needs to go at looking at the business advantages of the cloud versus the risks that are out there.
The third theme of this is providing IT security managers and IT auditors a chance to review cloud service providers' service level agreements to determine whether this candidate cloud service provider has the adequate security and continuity procedures in place, and then recommending provisions, which would be put in place in these SLA's, which would best protect your organizations data and applications loaded into the clouds.
FIELD: Again, Peet, where can people find this White Paper?
RAPP: You will find this paper at HYPERLINK "http://www.isaca.org/cloud" www.isaca.org/cloud.
FIELD: Very good. One last question for you; as you know, we have got organizations from financial services, from government, from healthcare, all talking about cloud today. If you could boil it all down, what advice would you give to these organizations that are starting to investigate cloud computing?
RAPP: I would point them directly to the organization referred to as the Cloud Security Alliance, and ISACA is a member of this organization. But the Cloud Security Alliance draws upon organizations such as ISACA, as well as many of the service providers in the cloud such as Microsoft, Intel, HP, Dell -- I could go on for another 40 to 50 different groups. But the Cloud Security Alliance seems to have the front-runners in providing information to potential cloud users on best practices to go for and what things they need to avoid and stay away from.
They are going to be coming out in the next several weeks, perhaps maybe months, with what they call the Cloud Security Alliance Controls Matrix. This will provide prospect clients kind of a list of things to look for to compare the service offering the cloud service provider versus the data and applications they could put into the clouds and be able to provide a good balanced scorecard of what they should or shouldn't put in the clouds based upon your organizations accepted level of risk.
FIELD: Now, Peet, in a conversation that we had earlier, you made a very apt analogy about cloud computing. I am wondering if you might be able to repeat that for us now.
RAPP: When I present the cloud security issues to different organizations, I draw the analogy of the cloud as being like a perfectly flat mirror-smooth lake of ice, and this lake essentially is of infinite size. It is an ideal skating pond -- you know, get out your skates and go. But one problem: The ice on this lake is currently about two inches thick. So, you have to be pretty darn careful of where you go and where you skate. The same holds true today in the cloud.
FIELD: Very sound advice. Peet, I appreciate your time and your insight today.
RAPP: Thank you.
FIELD: We have been talking about cloud computing. We have been talking with H. Peet RAPP, a member of ISACA's Cloud Computing Workgroup. For Information Security Media Group, I'm Tom Field. Thank you very much.