Hong Kong's leading CIOs of 2011 - enterpriseinnovation.net

SPECIAL: CLOUDCOMPUTING
4 continued from page 24
Injection; cross-site scripting; and broken
authentication and session management.
Clients need to take a more farsighted
view of application development, said
Lim. “Organizations want their new applications
fast and cheap, but if they are
fast and good, they can’t be cheap, and
if they are fast and cheap, they can’t be
good. Developers are not educated in secure
coding and they forget that firewalls
don’t stop application attacks.”
Data leakage must be carefully guarded
against when retaining cloud services.
In some cases, cloud providers may outsource
capacity so that users’ data may
be processed by a 3rd party. “The worst
thing is when your data is stored by a
third party provider. If a hacker steals
your customer data from the 3rd party,
you are in big trouble—you may go to
jail, but the cloud provider is in South
America.”
SLA issues
Cloud SLAs should include continuity
in case of catastrophe, said Lim.
“For example, when Lehman Brothers
suddenly closed in 2009, the IT
staff who looked after hard disks full
of transactions and customer data lost
their jobs. So where did the data go—is
it for sale on eBay”
Another issue is data that is usually
encrypted, so that when it is transmitted
across the network, it needs policy-based
secure email, said Lim. “Paper documents
should be protected by a classification
label indicating their sensitivity,
supported by a corporate policy on classified
emails. Classified emails should
be kept in an envelope when transported.
And to guarantee that the email is authentic
and has not been changed, we
need to add a digital signature to important
documents that are transmitted.”
Lim advocates “intuitive email security”,
using the same security classification
and controls as for paper documents.
“This minimizes user training,
and provides centralized control through
a security policy, logged entries that can
be audited, and centralized key and certificate
management.”
Lim also drew attention to security
education and standards, including a
key facilitator for secure software, the
CSSLP Certification for Application Development
Teams.
IBM’s Lim: Developers are not educated in
secure coding and they forget that firewalls
don’t stop application attacks
Web weaknesses
In the panel on cloud security, Chairman
Henry Ng, head of Global Professional
Services, North Asia & Japan, Verizon
Business, asked Lim if his concerns about
software vulnerability were really specific
to the cloud. “If an enterprise faces security
concerns about its applications, the
problems will still be there in the cloud,
but the cloud provider may provide better
security for SaaS that the enterprise could
with on-premises software”
Maybe or maybe not, said Lim. “The
cloud is a superset of enterprise web applications
and services that are relatively
new. Yes, we may hope the cloud provider
has better security, but they are still
working on that.”
Another panelist thought software is
less safe on the Web. “When enterprises
used proprietary software, they were not
threatened by Web malware,” said SE
Leung, senior consultant, Hong Kong
Productivity Council. “Now, enterprises
use SaaS and the staff use a browser
that’s not patched, they download a trojan
and you have data leakage. So moving
to the cloud is more than just a process
change.”
Cloud profiling
Responsibility for security continues
with cloud service. “I formerly handled
technology crime prevention with the
police and I learned that users need to
treat the cloud provider exactly the same
as their own IT department,” said Tony
Fung, senior investigation manager,
AP, Microsoft. “Users need to demand
the same SLAs, and service integrity
checks, and checks on the background of
staff and on the security standards used.”
Users can scrutinize cloud providers’
security, but only if these giant organizations
play ball. “When enterprises
outsource IT, they check out the service
provider.” asked Ng. “But can users do
background checks on the staff and procedures
at Google or Amazon”
An audience member pointed out that
SMEs in Hong Kong cannot do security
evaluation of cloud providers located
overseas, and asked how compliance requirements
handle this issue. “It’s not
really about the law,” said Kang. “If customer
data is the concern, then I should
choose a cloud provider located in Hong
Kong.”
People are also vulnerable on the
Web. “With so many people using
Facebook, social networking is a big
part of the cloud,” said Emil Chan,
council member, Internet Professional
Association. “We have to focus on the
vulnerability of people to social engineering,
just as much as the technical
security issues.” 3
C
M
Y
CM
MY
CY
CMY
K
26 Computerworld Hong Kong July/August 2011 www.cw.com.hk