cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
(ISC)² Team

Don't Fear the Cloud!

http://bit.ly/2hfwl4K

NATURAL DISASTERS PUT THE "A" IN THE CIA TRIAD TO TEST

 
By David Shearer, CISSP, CEO (ISC)² 

Let's face it, there's still a fair amount of fear when it comes to the cloud, and I know firsthand people in Texas and Florida recently experienced some devastating weather that tests individuals' and organizations' resiliency. Natural disasters like Hurricane Harvey, Irma and others around the world can serve as a reminder that cybersecurity, IT/ICT and OT for that matter, need to work in complementary ways to ensure not only cybersecurity resiliency but business and mission fulfillment resiliency (i.e. Continuity of Operations). I break these areas out, because I frequently hear them discussed in stovepipe ways. That vertical versus horizontal view simply does not serve the endgame for the organizations we serve.

 

I'm old enough to remember putting in PBX core communications switches. Then we moved to IP Trunked PBXs for addressing long-distance charges, and then facilities-based voice over Internet Protocol (VoIP) implementations. Early on, we had facilities-based VoIP scalability issues, but we eventually worked through most of those limitations. In the early days, VoIP-based solution architectures were constrained to a facility. Then soft phones came to pass along with cloud-based communications services. OK, you're likely asking, “Dave, where are you going with this?” Well, we talk a lot about the CIA triad: Confidentiality, Integrity and Availability. In the context of this post, I'm focusing on Availability without discounting the importance of Confidentiality and Integrity. 

 

(ISC)² teamed with the Cloud Security Alliance (CSA) to develop the Certified Cloud Security Professional (CCSP®) certification. Both organizations believe you shouldn't fear the cloud, but you need to move solutions to the cloud in the most secure way possible. We all know there are no absolute guarantees when it comes to security, but leveraging best practices and sound risk-mitigation strategies gives organizations a fighting chance.  

 

Cybersecurity is an important part of the equation, but we need to work in complementary ways with the IT, ICT and OT communities to help ensure the availability aspects of the CIA triad. When Irma impacted Florida, (ISC)² was fortunate that we designed our enterprise architecture leveraging cloud services. I won't go into details about this for obvious security reasons, but I will say in the case of a regional disaster like Irma, we were far better prepared to ensure availability of our operations and services. Cloud-based phone and service center solutions enable us to leverage remote work and shift work load to other regions of our operations. Our headquarters building was without power for days, and fortunately the computing and storage workloads we moved from on-premise to the cloud helped us sustain our operations with minimal impact to our members.

  

I write this merely to raise awareness and remind people there are no options available to us that are risk-free when it comes to leveraging technology to host our information assets and supporting our mission and business operations. I write this with a fair amount of trepidation, because it always seems that when we talk about how good we are, we end up being tested. However, in the wake of Irma, I feel compelled to write about how cloud-based communication services, computing and storage can provide for – when done well – operational and cybersecurity resiliency. Both outcomes are vitally important to any organization. The paradox we’re always trying to balance is operational capabilities with appropriate levels of security to manage risks. Suffice it to say, if it were easy, anyone could do it. Even with the best plans, our efforts can be thwarted. Again, that's where cybersecurity and operational resiliency converge. I break these two capabilities out intentionally to help raise awareness of the inherent tension between the two. In some cases, we may be able to restore operational capabilities in advance of cybersecurity confidence, but it's a risk management issue. How risk adverse is an organization? If an organization is willing to restore operations in advance of cybersecurity confidence, it certainly can. Cybersecurity is not a hard-and-fast gate to business or mission operations. Cybersecurity should provide a gauge to an organization to determine their level of risk acceptance, because there are no guarantees when it comes to cybersecurity.

 

This may sound like I'm ending on a fear, uncertainty and doubt note, but that's not my intention. I've seen where the cloud provides a better security posture for many organizations. Servers in office closets and even in fairly well design business computer rooms frequently will not provide service in regional property destruction and power outage situations. Additionally, some outsourced data center solutions will suffer from regional disruptions. In the case of Small and Medium Businesses (SMBs), this is very frequently the case. Organizations counting on single facility-based solutions in times of natural disasters can fail miserably at addressing the "A" in the Confidentiality, Integrity and Availability triad. So at (ISC)², along with our friends at the CSA, we say "Don't fear the cloud." Understand how to leverage the cloud for operational, cybersecurity and competitive advantage. Public sector organization should also consider the type of resiliency cloud-based solutions can provide during natural disasters. Few organizations can afford the type of geographical data center diversity that cloud solution providers can deliver, particularly when it comes to availability. An often overlooked capability when considering on-premise versus cloud-based solutions is continuity of operations (e.g., availability). Granted, information assets that are not “available” have little risk to confidentiality and integrity, because few organizations continue to operate without information asset and service availability.

 

That’s my story, and I’m sticking to it.

Thanks,

David Shearer
| CEO | dshearer@isc2.org | www.isc2.org | iamcybersafe.org |
16 Replies
Highlighted
Contributor I

Re: Don't Fear the Cloud!

A great article and case study about using the cloud.  I'm glad you all surived Irma!

 

Availability is key, especially in the ICS space.  However, I worry about the day when there is SCADA in the cloud! 

Highlighted
(ISC)² Team

Re: Don't Fear the Cloud!

Great point. There are limitations to everything. Look forward to seeing you at Congress James.
Thanks,

David Shearer
| CEO | dshearer@isc2.org | www.isc2.org | iamcybersafe.org |
Highlighted
Viewer II

Re: Don't Fear the Cloud!

Worth noting: not all things "Cloud" are created equal.

 

Of concern:  The message currently being marketed to the C-Suite is that "Cloud is much more secure than on-prem."   Agree that *CAN* be true, sometimes, with some clouds, some cloud suppliers, and some uses of "the cloud."

 

Totally disagree that any old XaaS provided by any old provider in any old way with or without any particular security measures is necessarily more secure than doing the same thing on-prem, just because it's "cloud" and "cloud is more secure."

 

WE may all understand that, but marketers are marketing to C-level execs without InfoSec credentials with sometimes dangerous messages.

 

Just sayin.

Viewer

Re: Don't Fear the Cloud!

Nice read, and for availability (and resilience!!) it is true for a lot of countries. The key here, however, is to balance all aspects. Privacy is a big thing in the EU, so it throws in its weight in the cloud debate. The key difference, in my opinion, is in the US, privacy is treated like a commodity (covered by product law), and in the EU it's a personal right (like liberty). Cloud providers have enormously complicated service term structures (if you want a taste of hell, dive into the Microsoft agreement structure). This leads to large uncertainties in how data is treated in accordance with EU law.  

 

This information asymmetry counteracts the benefits of cloud services like availability in mine opinion in a strongly regulated market like the EU.