Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cloud security rebuttal: Don't rebuke the many for the sins of the few

David Geer | Jan. 23, 2013
Long-time cloud security advocate Chris Hoff challenges our recent '7 deadly sins' story

Did CSOonline's 7 deadly sins of cloud computing story lack enlightenment?

One well-respected cloud security figure --Christopher Hoff, Chief Architect for Security at Juniper Networks--tweeted a response to the story, saying "Reading stuff like this sucks my will to live."

We asked Hoff to elaborate. It appears that the cardinal offense was castigating the innocent together with the guilty, when many organizations already refrain from committing the seven cloud mistakes the feature calls out.

But, how do we separate the innocent from the guilty? According to Hoff, the innocent include any number of well-initiated CSOs, CISOs, and CIOs at large enterprises, while the guilty are almost certainly among the scrappy-if-under-resourced SMEs / SMBs and start-ups. Read on as CSO magazine explores Christofer Hoff's analysis of the "7 deadly sins" story's targeting and audience--and what to do better next time.

Wait a Minute--Who's Doing This Stuff?

In a recent conversation with CSO magazine, Hoff argued the need to clarify the real audience for basic cloud security information.

"A CIO of a Fortune 500 company--and I will pick any one of the twenty I have spoken to in the last three months--would probably be offended by the notion that you are making them seem like they don't do their job," says Hoff. Hoff makes a respectable three-part argument for why the article offends large enterprise C-levels, based in part on why they are unlikely to commit the seven sins to begin with.

First, according to Hoff, every one of the sins can be applied in generic logic to any case where a security C-level is outsourcing any new service or bringing any new disruption in technology online.

"There is nothing particularly unique about the difference between ASP [and] SaaS from a security perspective that we haven't dealt with iteratively every time we've had an inflection point in compute," Hoff says. So, by the time an IT or security leader reaches C-level status at a large enterprise, he has already learned to apply the same logic elsewhere, and thus has the drop on those seven deadly sins.

Second in Hoff's argument is the premise that the amount of written advice, guidance, and enumeration of these issues and others like them is already extensive. The Cloud Security Alliance (CSA), which Hoff participates in, put together a cloud security guidance covering three major areas including architecting the cloud, using the cloud, and governing the cloud.

"There are 13 categories [within those areas] in the CSA Guidance that go into in-depth detail," says Hoff. The first chapter of the guidance about architecture summarizes what is the same, and what is different, in the cloud as well as what a C-level leaders should anticipate from a security perspective and a compliance perspective.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.