Putting data “into the cloud” isn’t just about theft of data (that’s obviously one very important part of information security).
Information Security Management includes, at the very least: a) Ensuring that non-authorized parties don’t get access (so theft of online data via application vulnerabilities, vulnerabilities in the provider’s infrastructure, theft of data at rest, theft of data in transit) b) Ensuring that authorized parties do have access (e.g. ensuring that denial-of-service attacks against the application, authentication services, utility services can be mitigated, and when the sh*t does hit the fan, you don’t get finger pointing between suppliers) c) Ensuring information assurance: the data is valid and accurate (i.e. not corrupt or tampered with) and that the data can be restored to known good values (if required), and that there is adequate audit logs of access and potentially changes) Aside from information management, there’s the whole other realm of how a business extends their other services (request, release, change, incident/problem etc. management) into a different environment. Do you have the skills, processes and appropriate technology (including license agreements etc.) to adequately manage and monitor this environment to your necessary regulatory and service level requirements? For small(er) orgs this is generally not really too much of an issue. But as the org, tech footprint and regulatory burden gets more complex, it rapidly becomes a nightmare. For large orgs, especially in regulated environments, there are reams and reams of requirements, and getting this all squared up in a new environment (external or otherwise) is quite cumbersome. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Thursday, 26 February 2015 6:18 PM To: ozDotNet Subject: Re: Azure and security trust (resend due to forgetting to remove the quoted content and thereby blowing the post size limit) Chaps, thanks for the great comments on this. I've forwarded a paste-up of the important parts to the person I'm working with on the hospital data. Next time I talk to someone who manages web servers or an IT department and I get the old argument that they don't trust putting data in the cloud, I'm gong to ask them to explain to me what their policies are regarding backups, security defense, threat models, intrusion detection, etc, and what skills they have. When I get a confused and indignant reply I can take the high ground in the argument and borrow some points from what Greg L said. Now that we know that major governments and security services are spying on us by devious means, I guess there's nothing you can do against that (or a court order) without politicians getting involved. However, that's not a typical threat to a business application containing personal information. Hospitals aren't worried about ASIO stealing their databases, they're worried about complying with state and federal laws, and from what I've read so far, Azure management seem to be working hard to build trust in this area. I'm certainly feeling much more confident about Azure security after what I've read in the last couple of days. I'm going to continue to develop the demo in Azure anyway, as it's really convenient. Greg K