BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Following the recent downtime and data breaches at top-tier cloud service providers including Amazon Web Services LLC, Sony Corp. and Epsilon Data Management LLC, the risk deck has been shuffled at enterprises looking to move to hybrid cloud computing. Two risks that lurked in the middle of our top 10 list -- liability and identity management -- have floated to the top.
Once again, enterprise executives are talking about the need for cloud insurance, or at least a discussion about who is responsible when the cloud goes down. Presently, public clouds offer standardized service-level agreements, or SLAs, that offer remuneration for time -- but not for potential business -- lost during the downtime. Recent events could be opportunities for providers and CIOs to negotiate premium availability services, according to experts.
Granted, not all outages are alike. "A single point of failure [as happened with the Amazon outage in Virginia] will be rare," as redundant technologies and provider partnerships continue to knit the fabric of an enterprise cloud, said Jerry Archer, senior vice president and chief security officer at Wilkes-Barre, Pa.-based Sallie Mae Inc., which provides origination services and collections for $200 billion worth of private and federal-backed student loans.
The breaches at Epsilon, a database marketing services provider in Irving, Texas, and at Sony's Playstation 3 network, however, "will cost people for a long time," Archer said. The former breach exposed email addresses and customer names, and the latter exposed credit card data. Both involved millions of customers.
What can IT executives who are considering cloud investments do to protect their companies against such risks? For Archer, the road to the cloud begins not with a cloud insurance policy, but with a secure identity management system.
On-ramp to the cloud: Secure identity management
As Sallie Mae's CSO, Archer has a job that encompasses "anything that starts and ends with security, physical as well as logical," he said. "We are broadly now seeing [across the industry] more cross-environmental attacks -- physical as well as logical -- by someone who figures out how to get into the building."
Sallie Mae is responding to such security threats with initiatives including device management, surveillance, forensics and cross-training of logical security and physical security personnel. Underpinning this strategy is a secure identity management system that reduces human error in the access process while streamlining the company's efforts in compliance.
"The amount of regulation that we face every year is just enormous," Archer said. "We're spending 70% of [IT] resources on compliance." In fact, Sallie Mae was audited 10 times last year on access control.
Based on a positive experience at a previous job, Archer brought in SailPoint Technologies Inc.'s IdentityIQ software to automate a process that had been arduous, if not downright risky for Sallie Mae. Previously, two employees worked full-time to compile the access privileges of thousands of employees into spreadsheets, then route them to business managers for review. Some managers were being asked to review and validate access data in spreadsheets with more than 3,000 entries.
We are in a period of time here where we need to get out in front and solve this problem. You don't want to be the guy with the shovel following the circus parade.
Jerry Archer, senior vice president and CSO, Sallie Mae Inc.
Before the IdentityIQ installation, Sallie Mae had "a lick and a promise at certification," Archer said. Now, there's a genuine certification process -- and a more secure on-ramp to the cloud. "Like everyone else, we are looking at moving outside our four walls, and will move in that direction quickly. We will get to the cloud version [of IdentityIQ] soon," he said.
For now, Archer remains focused on Sallie Mae's architecture, and is aggregating access to all core systems and defining roles for half the workforce. He's already completed that work for 50% of workers -- mainly onshore servicing reps who typically have 100 to 150 accesses, he said. By the end of 2011, he will have defined roles for 80% of Sallie Mae's 9,000 employees.
Cloud insurance to hedge against the risk?
For IT executives who are already operating in the cloud -- or even just preparing for it, as Archer is -- the recent outage and breaches also have put the topic of cloud insurance back on the table as an option for remuneration in case of what some call inevitable: downtime.
While a lot of people are talking about cloud insurance, not a lot of enterprises are buying it, according to Drew Bartkiewicz, founder and CEO at CyberRiskPartners LLC, a New York-based consultancy that advises enterprises about risk. The problem is that IT leaders do not understand risk economics and hedging risk, and risk managers do not understand IT, he said. As a result, companies are spending millions of dollars more on security to get the equivalent of a ninth seatbelt installed in a car, rather than accept that a car's financial liability is not always a function of "better security."
One way a cloud customer can get a rough sense of the financial risk involved in public cloud computing is to look at a Ponemon Institute LLC study that claims that a security breach costs an organization approximately $204 per record compromised. That figure is an underestimate, however, because it does not take into consideration all the reputational harm done to a company that is temporarily unavailable because of a data breach, said Tanya Forsheit, a founding partner at InfoLawGroup LLP in Los Angeles.
IT executives can minimize this risk by employing such strategies as secure identity management before migrating to the cloud, but the most vexing problem is that the cloud industry "has a long way to go before it provides the transparency needed for true IT governance," Sallie Mae's Archer said.
"We are in a period of time here where we need to get out in front and solve this problem," Archer said of the lapses. "You don't want to be the guy with the shovel following the circus parade."
Let us know what you think about the story; email Laura Smith, Features Writer.